Play interactive tour

Edit tour

Analysis Report CiTUkFGiC4.exe

Overview

General Information

Joe Sandbox Version:	28.0.0 Lapis Lazuli
Analysis ID:	1034940
Start date:	07.01.2020
Start time:	14:50:47
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 9m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CiTUkFGiC4.exe
Cookbook file name:	defaultwindowsfilecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 10.6% (good quality ratio 5.7%) Quality average: 36.7% Quality standard deviation: 41.2%
HCA Information:	Successful, ratio: 99% Number of executed functions: 604 Number of non-executed functions: 13
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, WmiPrvSE.exe Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	100	0 - 100	Report FP / FN	false	AgentTesla

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation121	Winlogon Helper DLL	Access Token Manipulation1	Masquerading1	Credential Dumping2	Virtualization/Sandbox Evasion13	Application Deployment Software	Email Collection1	Data Encrypted1	Standard Cryptographic Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Replication Through Removable Media	Service Execution	Port Monitors	Process Injection22	Software Packing13	Credentials in Registry1	Process Discovery2	Remote Services	Data from Local System2	Exfiltration Over Other Network Medium	Fallback Channels	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
External Remote Services	Windows Management Instrumentation	Accessibility Features	Path Interception	Disabling Security Tools1	Input Capture	Security Software Discovery221	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Drive-by Compromise	Scheduled Task	System Firmware	DLL Search Order Hijacking	Virtualization/Sandbox Evasion13	Credentials in Files	File and Directory Discovery1	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication	SIM Card Swap		Premium SMS Toll Fraud
Exploit Public-Facing Application	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Access Token Manipulation1	Account Manipulation	System Information Discovery114	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Spearphishing Link	Graphical User Interface	Modify Existing Service	New Service	Timestomp1	Brute Force	System Owner/User Discovery	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port	Jamming or Denial of Service		Abuse Accessibility Features
Spearphishing Attachment	Scripting	Path Interception	Scheduled Task	Process Injection22	Two-Factor Authentication Interception	Network Sniffing	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Spearphishing via Service	Third-party Software	Logon Scripts	Process Injection	Obfuscated Files or Information2	Bash History	Network Service Scanning	Remote Desktop Protocol	Clipboard Data	Exfiltration Over Alternative Protocol	Standard Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for dropped file

Show sources

Source: \192.168.1.2\W7_1_7\syscalls\dump\1.Load.2204.sdmp

Avira: detection malicious, Label: TR/Crypt.XDR.Gen

Antivirus detection for sample

Show sources

Source: CiTUkFGiC4.exe

Avira: detection malicious, Label: TR/Kryptik.leqfr

Multi AV Scanner detection for submitted file

Show sources

Source: CiTUkFGiC4.exe

Virustotal: Detection: 28%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: \192.168.1.2\W7_1_7\syscalls\dump\1.Load.2204.sdmp

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: CiTUkFGiC4.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 2.2.CiTUkFGiC4.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.0.CiTUkFGiC4.exe.1300000.0.unpack	Avira: Label: TR/Kryptik.leqfr
Source: 2.2.CiTUkFGiC4.exe.1300000.3.unpack	Avira: Label: TR/Kryptik.leqfr
Source: 0.0.CiTUkFGiC4.exe.1300000.0.unpack	Avira: Label: TR/Kryptik.leqfr

Networking:

Found strings which match to known social media urls

Show sources

Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Urls found in memory or binary data

Show sources

Source: CiTUkFGiC4.exe, 00000002.00000002.776310220.082A0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776310220.082A0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776310220.082A0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776310220.082A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: CiTUkFGiC4.exe, 00000002.00000002.765910004.02050000.00000004.00000001.sdmp, CiTUkFGiC4.exe, 00000002.00000002.775142830.079DD000.00000004.00000001.sdmp, CiTUkFGiC4.exe, 00000002.00000002.763685193.00643000.00000004.00000020.sdmp	String found in binary or memory: https://4BbXbK3IVCS0mei.net
Source: CiTUkFGiC4.exe, 00000002.00000002.765910004.02050000.00000004.00000001.sdmp	String found in binary or memory: https://4BbXbK3IVCS0mei.netp
Source: CiTUkFGiC4.exe, 00000002.00000002.765910004.02050000.00000004.00000001.sdmp	String found in binary or memory: https://4BbXbK3IVCS0mei.nettV1

System Summary:

Contains functionality to call native functions

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

Code function: 2_2_047904BA NtQuerySystemInformation,

2_2_047904BA

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_00235CAC	0_2_00235CAC
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_00433C68	0_2_00433C68
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_0043C950	0_2_0043C950
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_00437118	0_2_00437118
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_0043F138	0_2_0043F138
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_00432640	0_2_00432640
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_0043D2C8	0_2_0043D2C8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_00435048	0_2_00435048
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_00433C50	0_2_00433C50
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_004370F8	0_2_004370F8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_0043F119	0_2_0043F119
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_00432620	0_2_00432620
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_00437780	0_2_00437780
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_00437798	0_2_00437798
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005A4858	0_2_005A4858
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005A3068	0_2_005A3068
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005AB4D0	0_2_005AB4D0
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005AD090	0_2_005AD090
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005AE190	0_2_005AE190
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005A8358	0_2_005A8358
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005AD760	0_2_005AD760
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005A3048	0_2_005A3048
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005AD070	0_2_005AD070
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005A1CF0	0_2_005A1CF0
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005A1CE4	0_2_005A1CE4
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005AB4AF	0_2_005AB4AF
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005A5648	0_2_005A5648
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005A0AA8	0_2_005A0AA8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_005AD740	0_2_005AD740
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_012F4920	0_2_012F4920
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_012F9D00	0_2_012F9D00
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_012F6020	0_2_012F6020
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_012FBC40	0_2_012FBC40
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_012F04F0	0_2_012F04F0
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_012F6778	0_2_012F6778
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_012F87F0	0_2_012F87F0
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_012FD638	0_2_012FD638
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_012F4902	0_2_012F4902
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_00235CB4	0_2_00235CB4
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00613C68	2_2_00613C68
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_0061C950	2_2_0061C950
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00617118	2_2_00617118
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00612640	2_2_00612640
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_0061D2C8	2_2_0061D2C8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00615048	2_2_00615048
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00613C4A	2_2_00613C4A
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_006170F8	2_2_006170F8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00612620	2_2_00612620
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_0061777A	2_2_0061777A
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00617798	2_2_00617798
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A570E0	2_2_00A570E0
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A5F800	2_2_00A5F800
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A5A180	2_2_00A5A180
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A5D120	2_2_00A5D120
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A5C938	2_2_00A5C938
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A5DEC8	2_2_00A5DEC8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A584A8	2_2_00A584A8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A5F0F8	2_2_00A5F0F8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A5F0C0	2_2_00A5F0C0
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A570CD	2_2_00A570CD
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A584C8	2_2_00A584C8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A53980	2_2_00A53980
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A5D100	2_2_00A5D100
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A5C918	2_2_00A5C918
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A53960	2_2_00A53960
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A52958	2_2_00A52958
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A5DEA8	2_2_00A5DEA8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00A5F7E8	2_2_00A5F7E8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00B00080	2_2_00B00080
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00B07808	2_2_00B07808
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00B0D848	2_2_00B0D848
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00B01DB8	2_2_00B01DB8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00B049A8	2_2_00B049A8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00B03180	2_2_00B03180
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00B06170	2_2_00B06170
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00B0FBA8	2_2_00B0FBA8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00B0AFE8	2_2_00B0AFE8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00B0BF28	2_2_00B0BF28
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00B06F70	2_2_00B06F70
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_0616AA28	2_2_0616AA28
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_0616D6B8	2_2_0616D6B8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_06167B20	2_2_06167B20
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_061657F8	2_2_061657F8
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_06160080	2_2_06160080
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_06168900	2_2_06168900
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_06168538	2_2_06168538
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_06161DE8	2_2_06161DE8

PE file contains strange resources

Show sources

Source: CiTUkFGiC4.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Show sources

Source: CiTUkFGiC4.exe	Binary or memory string: OriginalFilename vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000000.00000002.567771770.00303000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000000.00000002.576614876.05C20000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCyaX.dll0 vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000000.00000002.570062193.02C50000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAfLkLmVMaqbuefpVhQYDYetqxmsRGsx.exe4 vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000000.00000002.572958168.048D1000.00000004.00000001.sdmp	Binary or memory string: originalFilename vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000000.00000002.572958168.048D1000.00000004.00000001.sdmp	Binary or memory string: get_OriginalFilename vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000000.00000002.572958168.048D1000.00000004.00000001.sdmp	Binary or memory string: LegalCopyright!OriginalFilename vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000000.00000002.572958168.048D1000.00000004.00000001.sdmp	Binary or memory string: SpecialBuild%File: %InternalName: %OriginalFilename: %FileVersion: %FileDescription: %Product: %ProductVersion: %Debug: %Patched: %PreRelease: %PrivateBuild: %SpecialBuild: %Language: vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000000.00000002.568680689.014D0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoftware Updates.dllB vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000000.00000002.568719220.01530000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000000.00000002.568443187.0136A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameModel.exe, vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000000.00000002.576301419.05A70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCyaX-Sharp.exe6 vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe	Binary or memory string: OriginalFilename vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameIEFRAME.DLL.MUID vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamep2pcollab.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameQAgentRT.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameDhcpQEC.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlasvc.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenapinsp.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepnrpnsp.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameFVEUI.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamews2_32.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameiphlpapi.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWebServices.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedhcpcsvc.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepcwum.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamefwpuclnt.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuserenv.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenametsgqec.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCertEnrollj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewebio.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameperftrack.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCDOSYS.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedwmapi.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCertClij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecimwin32.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamegptext.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsobjs.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepnrpsvc.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameazrolesj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedrt.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameNDIS.SYS.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamePeerDistSvc.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWsmRes.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameconsent.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCONHOST.EXE.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameFINDSTR.EXE.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamePowerCfg.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewmic.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameFIND.EXE.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesctasks.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAUDITPOL.EXE.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamereg.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecscript.exe.mui` vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesysmain.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenetman.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameTAPI32.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedavsvc.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewscsvc.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSUD.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamephotowiz.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameOobeFldr.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMdSched.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsra.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameREGSVR32.EXE.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameNWiFi.SYS.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesppuinotify.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWIAACMGR.EXE.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewinhttp.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecscui.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemofd.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameUmpnpmgr.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameNetEvent.Dll.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedtsh.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedmocx.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameauthfwgp.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameUrlMon.dll.muiD vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameshimgvw.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameqasf.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameShapeCollector.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.776484273.0835A000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenewdev.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCSRSS.Exe.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewinsrv.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWinInit.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWINLOGON.EXE.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameservices.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamelsasrv.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshtcpip.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewship6.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshqos.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAUTHUI.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenametzres.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesppsvc.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameInput.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameTipTsf.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSpTip.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameTableTextService.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamegpsvc.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameaero.msstyles.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenametaskcomp.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamespoolsv.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameBFE.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameFirewallAPI.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenametaskhost.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameUSERINIT.EXE.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMSCMS.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamej% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMsCtfMonitor.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesnmptrap.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamelmhsvc.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedwm.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedhcpcore.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepeerdistsh.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameNetLogon.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesstpsvc.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamelocalspl.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameFXSRESM.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenametaskeng.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWsdMon.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamevsstrace.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWLDAP32.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenetprofm.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameThemeUI.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameExplorerFrame.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameesrb.dll.muiH vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamexpsrchvw.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamestobject.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamerasdlg.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAltTab.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewscui.cpl.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameHCPROVIDERS.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSearchIndexer.exe.mui@ vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamePNIDUI.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenametquery.dll.mui@ vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameesent.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesidebar.EXE.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMsMpRes.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenametwext.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamempr.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameschedsvc.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameFDResPub.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameFunDisc.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamerpcrt4.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameFDPrint.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameBASEBRD.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameimageres.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWINMM.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameDocumentPerformanceEvents.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWerConCpl.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMSHTML.DLL.MUID vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSHSVCS.DLL.MUIj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenametaskmgr.exe.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSndVolSSO.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewin32spl.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameinetpp.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameadvapi32.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.771867888.06CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameprovsvc.dll.muij% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.763495193.00402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameAfLkLmVMaqbuefpVhQYDYetqxmsRGsx.exe4 vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.765152741.01060000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewbemdisp.tlbj% vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.763685193.00643000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs CiTUkFGiC4.exe
Source: CiTUkFGiC4.exe, 00000002.00000002.770092379.06080000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs CiTUkFGiC4.exe

Yara signature match

Show sources

Source: CiTUkFGiC4.exe, type: SAMPLE	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 00000000.00000002.576614876.05C20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ConventionEngine_Term_Desktop sample_md5 = 71cdba3859ca8bd03c1e996a790c04f9, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 00000000.00000002.576614876.05C20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 00000000.00000002.568680689.014D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 0.Load.2204.sdmp, type: MEMORY	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 2.Load.2204.sdmp, type: MEMORY	Matched rule: ConventionEngine_Term_Desktop sample_md5 = 71cdba3859ca8bd03c1e996a790c04f9, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 2.Load.2204.sdmp, type: MEMORY	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: Process Memory Space: CiTUkFGiC4.exe PID: 4052, type: MEMORY	Matched rule: shadowHammer author = Alex Mundo \| McAfee ATR Team, description = Rule to detect ShadowHammer using the fake domain of asus and binary (overlay and not overlay, disk and memory)
Source: \192.168.1.2\W7_1_7\syscalls\dump\0.Load.2204.sdmp, type: DROPPED	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: \192.168.1.2\W7_1_7\syscalls\dump\2.Load.2204.sdmp, type: DROPPED	Matched rule: ConventionEngine_Term_Desktop sample_md5 = 71cdba3859ca8bd03c1e996a790c04f9, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: \192.168.1.2\W7_1_7\syscalls\dump\2.Load.2204.sdmp, type: DROPPED	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 0.2.CiTUkFGiC4.exe.5c20000.4.unpack, type: UNPACKEDPE	Matched rule: ConventionEngine_Term_Desktop sample_md5 = 71cdba3859ca8bd03c1e996a790c04f9, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 0.2.CiTUkFGiC4.exe.5c20000.4.unpack, type: UNPACKEDPE	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 0.2.CiTUkFGiC4.exe.5c20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: ConventionEngine_Term_Desktop sample_md5 = 71cdba3859ca8bd03c1e996a790c04f9, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 0.2.CiTUkFGiC4.exe.5c20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 0.2.CiTUkFGiC4.exe.14d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 2.2.CiTUkFGiC4.exe.1300000.3.unpack, type: UNPACKEDPE	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 2.0.CiTUkFGiC4.exe.1300000.0.unpack, type: UNPACKEDPE	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 0.2.CiTUkFGiC4.exe.1300000.0.unpack, type: UNPACKEDPE	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 2.2.CiTUkFGiC4.exe.10000000.6.unpack, type: UNPACKEDPE	Matched rule: ConventionEngine_Term_Desktop sample_md5 = 71cdba3859ca8bd03c1e996a790c04f9, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 2.2.CiTUkFGiC4.exe.10000000.6.unpack, type: UNPACKEDPE	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 0.2.CiTUkFGiC4.exe.10000000.5.unpack, type: UNPACKEDPE	Matched rule: ConventionEngine_Term_Desktop sample_md5 = 71cdba3859ca8bd03c1e996a790c04f9, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 0.2.CiTUkFGiC4.exe.10000000.5.unpack, type: UNPACKEDPE	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Source: 0.0.CiTUkFGiC4.exe.1300000.0.unpack, type: UNPACKEDPE	Matched rule: ConventionEngine_Term_Users sample_md5 = 09e4e6fa85b802c46bc121fcaecc5666, author = @stvemillertime, description = Searching for PE files with PDB path keywords, terms or anomalies., ref_blog = https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Show sources

Source: CiTUkFGiC4.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 1.Load.2204.sdmp.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

.NET source code contains many API calls related to security

Show sources

Source: 1.Load.2204.sdmp.0.dr, WinDefender.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.Load.2204.sdmp.0.dr, WinDefender.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.Load.2204.sdmp.0.dr, X.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.Load.2204.sdmp.0.dr, X.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.Load.2204.sdmp.0.dr, X.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Classification label

Show sources

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@0/0

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

Code function: 2_2_0479033E AdjustTokenPrivileges,

2_2_0479033E

Creates mutexes

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

PE file has an executable .text section and no other executable section

Show sources

Source: CiTUkFGiC4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Reads ini files

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: CiTUkFGiC4.exe

Virustotal: Detection: 28%

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

File read: C:\Users\user\Desktop\CiTUkFGiC4.exe

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\CiTUkFGiC4.exe 'C:\Users\user\Desktop\CiTUkFGiC4.exe'
Source: unknown	Process created: C:\Users\user\Desktop\CiTUkFGiC4.exe C:\Users\user\Desktop\CiTUkFGiC4.exe
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process created: C:\Users\user\Desktop\CiTUkFGiC4.exe C:\Users\user\Desktop\CiTUkFGiC4.exe	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C9326B03-E51D-43A3-9394-9B8ECCDBAD9B}\InprocServer32

Jump to behavior

Uses Microsoft Silverlight

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

PE file contains a COM descriptor data directory

Show sources

Source: CiTUkFGiC4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: CiTUkFGiC4.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb source: CiTUkFGiC4.exe, 00000000.00000002.576614876.05C20000.00000004.00000001.sdmp
Source:	Binary string: indows\System.Configuration.pdbpdbion.pdb source: CiTUkFGiC4.exe, 00000002.00000002.764353517.00AC6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.pdbpdb source: CiTUkFGiC4.exe, 00000000.00000002.568561577.01466000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.pdbL source: CiTUkFGiC4.exe, 00000000.00000002.568561577.01466000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.pdbcro source: CiTUkFGiC4.exe, 00000000.00000002.568561577.01466000.00000004.00000040.sdmp
Source:	Binary string: soft.VisualBasic.pdb source: CiTUkFGiC4.exe, 00000000.00000002.568561577.01466000.00000004.00000040.sdmp
Source:	Binary string: indows\System.Management.pdbpdbent.pdbBas source: CiTUkFGiC4.exe, 00000000.00000002.568561577.01466000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Configuration.pdb source: CiTUkFGiC4.exe, 00000002.00000002.764353517.00AC6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Configuration.pdbTT source: CiTUkFGiC4.exe, 00000002.00000002.764353517.00AC6000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: CiTUkFGiC4.exe, 00000002.00000002.764353517.00AC6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdb source: CiTUkFGiC4.exe, 00000000.00000002.568561577.01466000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.pdb source: CiTUkFGiC4.exe, 00000002.00000002.764353517.00AC6000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Sako\source\repos\HyperCloud\HyperCloud\obj\Debug\Software Updates.pdb source: CiTUkFGiC4.exe
Source:	Binary string: em.Management.pdb source: CiTUkFGiC4.exe, 00000000.00000002.570803975.040CD000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.Management.pdbs\d source: CiTUkFGiC4.exe, 00000000.00000002.568561577.01466000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: CiTUkFGiC4.exe, 00000000.00000002.568719220.01530000.00000002.00000001.sdmp, CiTUkFGiC4.exe, 00000002.00000002.770092379.06080000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\dll\System.Configuration.pdb source: CiTUkFGiC4.exe, 00000002.00000002.764353517.00AC6000.00000004.00000040.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 0.Load.2204.sdmp.0.dr, StreamSound.cs	.Net Code: Final System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.Load.2204.sdmp.0.dr, X.cs	.Net Code: reflection System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.Load.2204.sdmp.0.dr, X.cs	.Net Code: StartInject System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xE536459E [Sat Nov 10 13:20:30 2091 UTC]

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_002352E8 push ecx; retn 0023h	0_2_002352E9
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_002352F4 push ebp; retn 0023h	0_2_002352F5
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_00235311 push 61002000h; retn 0023h	0_2_00235319
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_00436BE8 pushfd ; iretd	0_2_00436BE9
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 0_2_00436798 pushad ; retf	0_2_00436799
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00616BE2 pushfd ; iretd	2_2_00616BE9
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Code function: 2_2_00616798 pushad ; retf	2_2_00616799

Binary may include packed or encrypted code

Show sources

Source: initial sample	Static PE information: section name: .text entropy: 7.89722730555
Source: initial sample	Static PE information: section name: .text entropy: 7.82833887585

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File created: \192.168.1.2\W7_1_7\syscalls\dump\2.Load.2204.sdmp	Jump to dropped file
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File created: \192.168.1.2\W7_1_7\syscalls\dump\0.Load.2204.sdmp	Jump to dropped file
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File created: \192.168.1.2\W7_1_7\syscalls\dump\1.Load.2204.sdmp	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File created: \192.168.1.2\W7_1_7\syscalls\dump\0.Load.2204.sdmp	Jump to dropped file
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File created: \192.168.1.2\W7_1_7\syscalls\dump\1.Load.2204.sdmp	Jump to dropped file
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File created: \192.168.1.2\W7_1_7\syscalls\dump\2.Load.2204.sdmp	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found Joe Sandbox artefacts in file paths (likely an evasion)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File operation: fileCreated: \\192.168.1.2\W7_1_7\syscalls\dump\0.Load.2204.sdmp	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File operation: fileCreated: \\192.168.1.2\W7_1_7\syscalls\dump\1.Load.2204.sdmp	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File operation: fileCreated: \\192.168.1.2\W7_1_7\syscalls\dump\2.Load.2204.sdmp	Jump to behavior

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: CiTUkFGiC4.exe PID: 2204, type: MEMORY

Yara detected Cassandra Crypter

Show sources

Source: Yara match	File source: 00000000.00000002.576614876.05C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.Load.2204.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.569984048.01C60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CiTUkFGiC4.exe PID: 2204, type: MEMORY
Source: Yara match	File source: \192.168.1.2\W7_1_7\syscalls\dump\2.Load.2204.sdmp, type: DROPPED
Source: Yara match	File source: 0.2.CiTUkFGiC4.exe.5c20000.4.raw.unpack, type: UNPACKEDPE

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: CiTUkFGiC4.exe, 00000000.00000002.573899605.04AAF000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: CiTUkFGiC4.exe, 00000000.00000002.573899605.04AAF000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLUSER

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Dropped PE file which has not been started: \192.168.1.2\W7_1_7\syscalls\dump\2.Load.2204.sdmp	Jump to dropped file
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Dropped PE file which has not been started: \192.168.1.2\W7_1_7\syscalls\dump\0.Load.2204.sdmp	Jump to dropped file
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Dropped PE file which has not been started: \192.168.1.2\W7_1_7\syscalls\dump\1.Load.2204.sdmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe TID: 2224	Thread sleep time: -54009s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe TID: 2376	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe TID: 2376	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe TID: 456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe TID: 620	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe TID: 4004	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe TID: 4004	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe TID: 1104	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: CiTUkFGiC4.exe, 00000000.00000002.573899605.04AAF000.00000004.00000001.sdmp	Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: CiTUkFGiC4.exe, 00000000.00000002.573899605.04AAF000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: CiTUkFGiC4.exe, 00000000.00000002.573899605.04AAF000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIYSOFTWARE\Microsoft\Windows Defender\Features!TamperProtectionYSOFTWARE\Policies\Microsoft\Windows Defender%DisableAntiSpyware
Source: CiTUkFGiC4.exe, 00000000.00000002.573899605.04AAF000.00000004.00000001.sdmp	Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: CiTUkFGiC4.exe, 00000000.00000002.573899605.04AAF000.00000004.00000001.sdmp	Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU

Queries a list of all running processes

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

Memory written: C:\Users\user\Desktop\CiTUkFGiC4.exe base: 400000 value starts with: 4D5A

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

Thread register set: target process: 4052

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: CiTUkFGiC4.exe, 00000002.00000002.765747318.013A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: CiTUkFGiC4.exe, 00000002.00000002.765747318.013A0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: CiTUkFGiC4.exe, 00000002.00000002.765747318.013A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation	Jump to behavior

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

WMI Queries: IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.765910004.02050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CiTUkFGiC4.exe PID: 4052, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\CiTUkFGiC4.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Show sources

Source: Yara match	File source: 00000002.00000002.765910004.02050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CiTUkFGiC4.exe PID: 4052, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.765910004.02050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CiTUkFGiC4.exe PID: 4052, type: MEMORY

Malware Configuration

No configs have been found

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

Time	Type	Description
14:52:27	API Interceptor	641x Sleep call for process: CiTUkFGiC4.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CiTUkFGiC4.exe	29%	Virustotal		Browse
CiTUkFGiC4.exe	13%	Metadefender		Browse
CiTUkFGiC4.exe	100%	Avira	TR/Kryptik.leqfr
CiTUkFGiC4.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
\192.168.1.2\W7_1_7\syscalls\dump\1.Load.2204.sdmp	100%	Avira	TR/Crypt.XDR.Gen
\192.168.1.2\W7_1_7\syscalls\dump\1.Load.2204.sdmp	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.CiTUkFGiC4.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
2.0.CiTUkFGiC4.exe.1300000.0.unpack	100%	Avira	TR/Kryptik.leqfr	Download File
2.2.CiTUkFGiC4.exe.1300000.3.unpack	100%	Avira	TR/Kryptik.leqfr	Download File
0.0.CiTUkFGiC4.exe.1300000.0.unpack	100%	Avira	TR/Kryptik.leqfr	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.mercadolivre.com.br/	0%	Virustotal		Browse
http://www.merlin.com.pl/favicon.ico	0%	Virustotal		Browse
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	Virustotal		Browse
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	Virustotal		Browse
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
CiTUkFGiC4.exe	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0xa5bd:$anchor: Users 0xa5a2:$pcre: RSDS\xCA\x09\xE3PcG\xC6F\xA9N\x09\x9B\x95\xA2M\x16\x01C:\Users\Sako\source\repos\HyperCloud\HyperCloud\obj\Debug\Software Updates.pdb

PCAP (Network Traffic)

No yara matches

Dropped Files

Source	Rule	Description	Author	Strings
\192.168.1.2\W7_1_7\syscalls\dump\0.Load.2204.sdmp	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0xda3:$anchor: Users 0xd88:$pcre: RSDS\xCA\x09\xE3PcG\xC6F\xA9N\x09\x9B\x95\xA2M\x16\x01C:\Users\Sako\source\repos\HyperCloud\HyperCloud\obj\Debug\Software Updates.pdb
\192.168.1.2\W7_1_7\syscalls\dump\2.Load.2204.sdmp	ConventionEngine_Term_Desktop	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x1a6b:$anchor: Desktop 0x24eb:$anchor: Desktop 0x24c0:$pcre: RSDS\x03\x0B\xECI\xE5\xC6?L\x8B\xC6`mF\x8FP\xF6\x01C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb
\192.168.1.2\W7_1_7\syscalls\dump\2.Load.2204.sdmp	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x24db:$anchor: Users 0x24c0:$pcre: RSDS\x03\x0B\xECI\xE5\xC6?L\x8B\xC6`mF\x8FP\xF6\x01C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb
\192.168.1.2\W7_1_7\syscalls\dump\2.Load.2204.sdmp	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.576614876.05C20000.00000004.00000001.sdmp	ConventionEngine_Term_Desktop	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x1a6b:$anchor: Desktop 0x24eb:$anchor: Desktop 0x24c0:$pcre: RSDS\x03\x0B\xECI\xE5\xC6?L\x8B\xC6`mF\x8FP\xF6\x01C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb
00000000.00000002.576614876.05C20000.00000004.00000001.sdmp	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x24db:$anchor: Users 0x24c0:$pcre: RSDS\x03\x0B\xECI\xE5\xC6?L\x8B\xC6`mF\x8FP\xF6\x01C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb
00000000.00000002.576614876.05C20000.00000004.00000001.sdmp	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
00000000.00000002.568680689.014D0000.00000004.00000001.sdmp	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0xda3:$anchor: Users 0xd88:$pcre: RSDS\xCA\x09\xE3PcG\xC6F\xA9N\x09\x9B\x95\xA2M\x16\x01C:\Users\Sako\source\repos\HyperCloud\HyperCloud\obj\Debug\Software Updates.pdb
0.Load.2204.sdmp	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0xda3:$anchor: Users 0xd88:$pcre: RSDS\xCA\x09\xE3PcG\xC6F\xA9N\x09\x9B\x95\xA2M\x16\x01C:\Users\Sako\source\repos\HyperCloud\HyperCloud\obj\Debug\Software Updates.pdb
00000002.00000002.765910004.02050000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.765910004.02050000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.Load.2204.sdmp	ConventionEngine_Term_Desktop	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x1a6b:$anchor: Desktop 0x24eb:$anchor: Desktop 0x24c0:$pcre: RSDS\x03\x0B\xECI\xE5\xC6?L\x8B\xC6`mF\x8FP\xF6\x01C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb
2.Load.2204.sdmp	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x24db:$anchor: Users 0x24c0:$pcre: RSDS\x03\x0B\xECI\xE5\xC6?L\x8B\xC6`mF\x8FP\xF6\x01C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb
2.Load.2204.sdmp	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
00000000.00000002.569984048.01C60000.00000004.00000001.sdmp	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
Process Memory Space: CiTUkFGiC4.exe PID: 2204	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: CiTUkFGiC4.exe PID: 2204	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
Process Memory Space: CiTUkFGiC4.exe PID: 4052	shadowHammer	Rule to detect ShadowHammer using the fake domain of asus and binary (overlay and not overlay, disk and memory)	Alex Mundo \| McAfee ATR Team	0x52ec24:$d: 68 6F 74 66 0x52ecb0:$d: 68 6F 74 66 0x5316e3:$d: 68 6F 74 66 0x53176f:$d: 68 6F 74 66 0x2256b6:$d1: 61 73 75 73 0x228881:$d1: 61 73 75 73 0x2288ca:$d1: 61 73 75 73 0x228aad:$d1: 61 73 75 73 0x228c55:$d1: 61 73 75 73 0x228e64:$d1: 61 73 75 73 0x4d673c:$d1: 61 73 75 73 0x4d675f:$d1: 61 73 75 73 0x78961a:$d2: 69 78 2E 63 0x7896a1:$d2: 69 78 2E 63
Process Memory Space: CiTUkFGiC4.exe PID: 4052	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CiTUkFGiC4.exe PID: 4052	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.CiTUkFGiC4.exe.5c20000.4.unpack	ConventionEngine_Term_Desktop	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x6eb:$anchor: Desktop 0x6c0:$pcre: RSDS\x03\x0B\xECI\xE5\xC6?L\x8B\xC6`mF\x8FP\xF6\x01C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb
0.2.CiTUkFGiC4.exe.5c20000.4.unpack	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x6db:$anchor: Users 0x6c0:$pcre: RSDS\x03\x0B\xECI\xE5\xC6?L\x8B\xC6`mF\x8FP\xF6\x01C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb
0.2.CiTUkFGiC4.exe.5c20000.4.raw.unpack	ConventionEngine_Term_Desktop	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x1a6b:$anchor: Desktop 0x24eb:$anchor: Desktop 0x24c0:$pcre: RSDS\x03\x0B\xECI\xE5\xC6?L\x8B\xC6`mF\x8FP\xF6\x01C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb
0.2.CiTUkFGiC4.exe.5c20000.4.raw.unpack	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x24db:$anchor: Users 0x24c0:$pcre: RSDS\x03\x0B\xECI\xE5\xC6?L\x8B\xC6`mF\x8FP\xF6\x01C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb
0.2.CiTUkFGiC4.exe.5c20000.4.raw.unpack	JoeSecurity_CassandraCrypter	Yara detected Cassandra Crypter	Joe Security
0.2.CiTUkFGiC4.exe.14d0000.1.raw.unpack	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0xda3:$anchor: Users 0xd88:$pcre: RSDS\xCA\x09\xE3PcG\xC6F\xA9N\x09\x9B\x95\xA2M\x16\x01C:\Users\Sako\source\repos\HyperCloud\HyperCloud\obj\Debug\Software Updates.pdb
2.2.CiTUkFGiC4.exe.1300000.3.unpack	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0xa5bd:$anchor: Users 0xa5a2:$pcre: RSDS\xCA\x09\xE3PcG\xC6F\xA9N\x09\x9B\x95\xA2M\x16\x01C:\Users\Sako\source\repos\HyperCloud\HyperCloud\obj\Debug\Software Updates.pdb
2.0.CiTUkFGiC4.exe.1300000.0.unpack	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0xa5bd:$anchor: Users 0xa5a2:$pcre: RSDS\xCA\x09\xE3PcG\xC6F\xA9N\x09\x9B\x95\xA2M\x16\x01C:\Users\Sako\source\repos\HyperCloud\HyperCloud\obj\Debug\Software Updates.pdb
0.2.CiTUkFGiC4.exe.1300000.0.unpack	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0xa5bd:$anchor: Users 0xa5a2:$pcre: RSDS\xCA\x09\xE3PcG\xC6F\xA9N\x09\x9B\x95\xA2M\x16\x01C:\Users\Sako\source\repos\HyperCloud\HyperCloud\obj\Debug\Software Updates.pdb
2.2.CiTUkFGiC4.exe.10000000.6.unpack	ConventionEngine_Term_Desktop	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x885b8:$anchor: Desktop 0x88590:$pcre: RSDS\x80y\xF5\xBCnF}@\x84^J\xF2A\xCD\xB4\xBD6C:\Users\Stefan\Desktop\SimpleProfiler\Release\SimpleProfiler.pdb
2.2.CiTUkFGiC4.exe.10000000.6.unpack	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x885ab:$anchor: Users 0x88590:$pcre: RSDS\x80y\xF5\xBCnF}@\x84^J\xF2A\xCD\xB4\xBD6C:\Users\Stefan\Desktop\SimpleProfiler\Release\SimpleProfiler.pdb
0.2.CiTUkFGiC4.exe.10000000.5.unpack	ConventionEngine_Term_Desktop	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x885b8:$anchor: Desktop 0x88590:$pcre: RSDS\x80y\xF5\xBCnF}@\x84^J\xF2A\xCD\xB4\xBD6C:\Users\Stefan\Desktop\SimpleProfiler\Release\SimpleProfiler.pdb
0.2.CiTUkFGiC4.exe.10000000.5.unpack	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0x885ab:$anchor: Users 0x88590:$pcre: RSDS\x80y\xF5\xBCnF}@\x84^J\xF2A\xCD\xB4\xBD6C:\Users\Stefan\Desktop\SimpleProfiler\Release\SimpleProfiler.pdb
0.0.CiTUkFGiC4.exe.1300000.0.unpack	ConventionEngine_Term_Users	Searching for PE files with PDB path keywords, terms or anomalies.	@stvemillertime	0xa5bd:$anchor: Users 0xa5a2:$pcre: RSDS\xCA\x09\xE3PcG\xC6F\xA9N\x09\x9B\x95\xA2M\x16\x01C:\Users\Sako\source\repos\HyperCloud\HyperCloud\obj\Debug\Software Updates.pdb

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CiTUkFGiC4.exe

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Malware Configuration

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails