Loading ...

Play interactive tourEdit tour

Analysis Report citadel_3.1.0.0.vir

Overview

General Information

Sample Name:citadel_3.1.0.0.vir (renamed file extension from vir to exe)
Analysis ID:247548
MD5:3d3ef329a4d920735fbc6c56d2a15691
SHA1:74c7c9c8470ea55c04ee3c7fe168793ee32d4686
SHA256:1ec347934db2ded3a012479882732bfb3cdc85b0d4b2911e3402c1fa693a2235

Most interesting Screenshot:

Detection

ZeusVM
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected ZeusVM e-Banking Trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Allocates memory in foreign processes
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Disables Internet Explorer cookie cleaning (a user can no longer delete cookies)
Drops batch files with force delete cmd (self deletion)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Internet Explorer zone settings
Overwrites Windows DLL code with PUSH RET codes
Overwrites code with function prologues
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes / dynamic malware analysis system (mutex check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes / dynamic malware analysis system (tool check)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Deletes Internet Explorer cookies via registry
Detected potential crypto function
Drops PE files
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Internet Provider seen in connection with other malware
May initialize a security null descriptor
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001D.00000000.773119761.0000000000F20000.00000040.00000001.sdmpcitadel13xyCitadel 1.5.x.y trojan bankerJean-Philippe Teissier / @Jipe_
  • 0x9884:$c: %BOTID%
  • 0x988c:$d: %BOTNET%
  • 0x192c:$e: cit_video.module
  • 0xa668:$f: bc_remove
  • 0xa674:$g: bc_add
  • 0x9fec:$ggurl: http://www.google.com/webhp
00000016.00000002.853918766.00000000012D0000.00000040.00000001.sdmpcitadel13xyCitadel 1.5.x.y trojan bankerJean-Philippe Teissier / @Jipe_
  • 0x9884:$c: %BOTID%
  • 0x988c:$d: %BOTNET%
  • 0x192c:$e: cit_video.module
  • 0xa668:$f: bc_remove
  • 0xa674:$g: bc_add
  • 0x9fec:$ggurl: http://www.google.com/webhp
0000000C.00000003.628784740.0000000000D20000.00000040.00000001.sdmpcitadel13xyCitadel 1.5.x.y trojan bankerJean-Philippe Teissier / @Jipe_
  • 0x9884:$c: %BOTID%
  • 0x988c:$d: %BOTNET%
  • 0x192c:$e: cit_video.module
  • 0xa668:$f: bc_remove
  • 0xa674:$g: bc_add
  • 0x9fec:$ggurl: http://www.google.com/webhp
0000000E.00000003.656861728.0000000000FE0000.00000040.00000001.sdmpcitadel13xyCitadel 1.5.x.y trojan bankerJean-Philippe Teissier / @Jipe_
  • 0x9884:$c: %BOTID%
  • 0x988c:$d: %BOTNET%
  • 0x192c:$e: cit_video.module
  • 0xa668:$f: bc_remove
  • 0xa674:$g: bc_add
  • 0x9fec:$ggurl: http://www.google.com/webhp
0000001B.00000002.866613925.00000000018C0000.00000040.00000001.sdmpcitadel13xyCitadel 1.5.x.y trojan bankerJean-Philippe Teissier / @Jipe_
  • 0x9884:$c: %BOTID%
  • 0x988c:$d: %BOTNET%
  • 0x192c:$e: cit_video.module
  • 0xa668:$f: bc_remove
  • 0xa674:$g: bc_add
  • 0x9fec:$ggurl: http://www.google.com/webhp
Click to see the 64 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
24.2.ohboiqJqHvhRjcjahDqpeOmSSf.exe.1c10000.1.raw.unpackcitadel13xyCitadel 1.5.x.y trojan bankerJean-Philippe Teissier / @Jipe_
  • 0x9884:$c: %BOTID%
  • 0x988c:$d: %BOTNET%
  • 0x192c:$e: cit_video.module
  • 0xa668:$f: bc_remove
  • 0xa674:$g: bc_add
  • 0x9fec:$ggurl: http://www.google.com/webhp
4.0.taskhostw.exe.b60000.0.raw.unpackcitadel13xyCitadel 1.5.x.y trojan bankerJean-Philippe Teissier / @Jipe_
  • 0x9884:$c: %BOTID%
  • 0x988c:$d: %BOTNET%
  • 0x192c:$e: cit_video.module
  • 0xa668:$f: bc_remove
  • 0xa674:$g: bc_add
  • 0x9fec:$ggurl: http://www.google.com/webhp
27.0.ohboiqJqHvhRjcjahDqpeOmSSf.exe.18c0000.1.raw.unpackcitadel13xyCitadel 1.5.x.y trojan bankerJean-Philippe Teissier / @Jipe_
  • 0x9884:$c: %BOTID%
  • 0x988c:$d: %BOTNET%
  • 0x192c:$e: cit_video.module
  • 0xa668:$f: bc_remove
  • 0xa674:$g: bc_add
  • 0x9fec:$ggurl: http://www.google.com/webhp
15.0.RuntimeBroker.exe.ca0000.0.raw.unpackcitadel13xyCitadel 1.5.x.y trojan bankerJean-Philippe Teissier / @Jipe_
  • 0x9884:$c: %BOTID%
  • 0x988c:$d: %BOTNET%
  • 0x192c:$e: cit_video.module
  • 0xa668:$f: bc_remove
  • 0xa674:$g: bc_add
  • 0x9fec:$ggurl: http://www.google.com/webhp
28.2.ohboiqJqHvhRjcjahDqpeOmSSf.exe.1340000.1.raw.unpackcitadel13xyCitadel 1.5.x.y trojan bankerJean-Philippe Teissier / @Jipe_
  • 0x9884:$c: %BOTID%
  • 0x988c:$d: %BOTNET%
  • 0x192c:$e: cit_video.module
  • 0xa668:$f: bc_remove
  • 0xa674:$g: bc_add
  • 0x9fec:$ggurl: http://www.google.com/webhp
Click to see the 107 entries

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Svchost ProcessShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Dore\ceza.exe, ParentImage: C:\Users\user\AppData\Roaming\Dore\ceza.exe, ParentProcessId: 4484, ProcessCommandLine: , ProcessId: 2336
Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
Source: Process startedAuthor: vburov: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Dore\ceza.exe, ParentImage: C:\Users\user\AppData\Roaming\Dore\ceza.exe, ParentProcessId: 4484, ProcessCommandLine: , ProcessId: 2336

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: citadel_3.1.0.0.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Dore\ceza.exeAvira: detection malicious, Label: HEUR/AGEN.1009958
Multi AV Scanner detection for submitted fileShow sources
Source: citadel_3.1.0.0.exeVirustotal: Detection: 87%Perma Link
Source: citadel_3.1.0.0.exeMetadefender: Detection: 64%Perma Link
Source: citadel_3.1.0.0.exeReversingLabs: Detection: 84%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Dore\ceza.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: citadel_3.1.0.0.exeJoe Sandbox ML: detected
Source: 23.2.ohboiqJqHvhRjcjahDqpeOmSSf.exe.f10000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 0.2.citadel_3.1.0.0.exe.400000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 22.2.ohboiqJqHvhRjcjahDqpeOmSSf.exe.12d0000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 21.2.ohboiqJqHvhRjcjahDqpeOmSSf.exe.b00000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 4.0.taskhostw.exe.b60000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 16.0.ohboiqJqHvhRjcjahDqpeOmSSf.exe.fd0000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 21.0.ohboiqJqHvhRjcjahDqpeOmSSf.exe.b00000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 18.0.ohboiqJqHvhRjcjahDqpeOmSSf.exe.d50000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 25.0.ohboiqJqHvhRjcjahDqpeOmSSf.exe.1660000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 11.0.SearchUI.exe.2f0000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 26.0.ohboiqJqHvhRjcjahDqpeOmSSf.exe.d70000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 4.3.taskhostw.exe.b60000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 7.3.explorer.exe.33f0000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 16.2.ohboiqJqHvhRjcjahDqpeOmSSf.exe.fd0000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 0.3.citadel_3.1.0.0.exe.5d0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 25.2.ohboiqJqHvhRjcjahDqpeOmSSf.exe.1660000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 2.0.svchost.exe.540000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 12.3.RuntimeBroker.exe.d20000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 31.0.MusNotifyIcon.exe.4d0000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 32.2.cmd.exe.5b0000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 5.3.ctfmon.exe.10000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 27.2.ohboiqJqHvhRjcjahDqpeOmSSf.exe.18c0000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 27.0.ohboiqJqHvhRjcjahDqpeOmSSf.exe.18c0000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 3.0.sihost.exe.9a0000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 12.0.RuntimeBroker.exe.d20000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 26.2.ohboiqJqHvhRjcjahDqpeOmSSf.exe.d70000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 31.3.MusNotifyIcon.exe.4d0000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 13.0.smartscreen.exe.760000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 0.2.citadel_3.1.0.0.exe.880000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 1.2.ceza.exe.400000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 14.3.RuntimeBroker.exe.fe0000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 18.2.ohboiqJqHvhRjcjahDqpeOmSSf.exe.d50000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 7.0.explorer.exe.33f0000.10.unpackAvira: Label: TR/Hijacker.Gen
Source: 28.2.ohboiqJqHvhRjcjahDqpeOmSSf.exe.1340000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 10.0.ShellExperienceHost.exe.d10000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 30.3.conhost.exe.9a0000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 0.3.citadel_3.1.0.0.exe.620000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 0.3.citadel_3.1.0.0.exe.620000.2.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 22.0.ohboiqJqHvhRjcjahDqpeOmSSf.exe.12d0000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 2.3.svchost.exe.540000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 24.0.ohboiqJqHvhRjcjahDqpeOmSSf.exe.1c10000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 1.3.ceza.exe.7f0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 9.0.dllhost.exe.d90000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 30.0.conhost.exe.9a0000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 29.2.ohboiqJqHvhRjcjahDqpeOmSSf.exe.f20000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 17.2.ohboiqJqHvhRjcjahDqpeOmSSf.exe.12e0000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 33.3.conhost.exe.480000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 15.3.RuntimeBroker.exe.ca0000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 10.3.ShellExperienceHost.exe.d10000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 13.3.smartscreen.exe.760000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 17.0.ohboiqJqHvhRjcjahDqpeOmSSf.exe.12e0000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 3.3.sihost.exe.9a0000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 14.0.RuntimeBroker.exe.fe0000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 23.0.ohboiqJqHvhRjcjahDqpeOmSSf.exe.f10000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 9.3.dllhost.exe.d90000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 28.0.ohboiqJqHvhRjcjahDqpeOmSSf.exe.1340000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 24.2.ohboiqJqHvhRjcjahDqpeOmSSf.exe.1c10000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 5.0.ctfmon.exe.10000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 11.3.SearchUI.exe.2f0000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: 29.0.ohboiqJqHvhRjcjahDqpeOmSSf.exe.f20000.1.unpackAvira: Label: TR/Hijacker.Gen
Source: 15.0.RuntimeBroker.exe.ca0000.0.unpackAvira: Label: TR/Hijacker.Gen
Source: C:\Users\user\Desktop\citadel_3.1.0.0.exeCode function: 0_2_004348E4 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\Desktop\citadel_3.1.0.0.exeCode function: 0_2_00434978 CreateFileW,CryptAcquireContextW,CryptCreateHash,ReadFile,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,
Source: C:\Users\user\Desktop\citadel_3.1.0.0.exeCode function: 0_2_00422AA8 CryptUnprotectData,LocalFree,
Source: C:\Users\user\Desktop\citadel_3.1.0.0.exeCode function: 0_2_008B48E4 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\Desktop\citadel_3.1.0.0.exeCode function: 0_2_008B4978 CreateFileW,CryptAcquireContextW,CryptCreateHash,ReadFile,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,
Source: C:\Users\user\Desktop\citadel_3.1.0.0.exeCode function: 0_2_008A2AA8 CryptUnprotectData,LocalFree,
Source: C:\Users\user\AppData\Roaming\Dore\ceza.exeCode function: 1_2_004348E4 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Roaming\Dore\ceza.exeCode function: 1_2_00434978 CreateFileW,CryptAcquireContextW,CryptCreateHash,ReadFile,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,
Source: C:\Users\user\AppData\Roaming\Dore\ceza.exeCode function: 1_2_00422AA8 CryptUnprotectData,LocalFree,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 16_2_01004978 CreateFileW,CryptAcquireContextW,CryptCreateHash,ReadFile,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 16_2_010048E4 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 16_2_00FF2AA8 CryptUnprotectData,LocalFree,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 17_2_01314978 CreateFileW,CryptAcquireContextW,CryptCreateHash,ReadFile,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 17_2_013148E4 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 17_2_01302AA8 CryptUnprotectData,LocalFree,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 18_2_00D848E4 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 18_2_00D84978 CreateFileW,CryptAcquireContextW,CryptCreateHash,ReadFile,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 18_2_00D72AA8 CryptUnprotectData,LocalFree,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 21_2_00B348E4 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 21_2_00B34978 CreateFileW,CryptAcquireContextW,CryptCreateHash,ReadFile,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 21_2_00B22AA8 CryptUnprotectData,LocalFree,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 22_2_01304978 CreateFileW,CryptAcquireContextW,CryptCreateHash,ReadFile,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 22_2_013048E4 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 22_2_012F2AA8 CryptUnprotectData,LocalFree,
Source: C:\Users\user\Desktop\citadel_3.1.0.0.exeCode function: 0_2_004178BE GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
Source: C:\Users\user\Desktop\citadel_3.1.0.0.exeCode function: 0_2_008978BE GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
Source: C:\Users\user\AppData\Roaming\Dore\ceza.exeCode function: 1_2_004178BE GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 16_2_00FE78BE GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 17_2_012F78BE GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 18_2_00D678BE GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 21_2_00B178BE GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 22_2_012E78BE GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
Source: C:\Users\user\Desktop\citadel_3.1.0.0.exeCode function: 0_2_0040B68B WaitForSingleObject,FindFirstFileW,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,FileTimeToSystemTime,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\citadel_3.1.0.0.exeCode function: 0_2_0043AEB3 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Users\user\Desktop\citadel_3.1.0.0.exeCode function: 0_2_0043AF6E FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\citadel_3.1.0.0.exeCode function: 0_2_008BAF6E SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Dore\ceza.exeCode function: 1_2_0040B68B WaitForSingleObject,FindFirstFileW,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,FileTimeToSystemTime,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Dore\ceza.exeCode function: 1_2_0043AEB3 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Users\user\AppData\Roaming\Dore\ceza.exeCode function: 1_2_0043AF6E FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 16_2_0100AF6E FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 16_2_00FDB68B WaitForSingleObject,FindFirstFileW,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,FileTimeToSystemTime,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 16_2_0100AEB3 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 17_2_0131AF6E FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 17_2_0131AEB3 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 17_2_012EB68B WaitForSingleObject,FindFirstFileW,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,FileTimeToSystemTime,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 18_2_00D5B68B WaitForSingleObject,FindFirstFileW,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,FileTimeToSystemTime,WaitForSingleObject,WaitForSingleObject,Sleep,FindNextFileW,FindClose,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSLdmCKKsz\ohboiqJqHvhRjcjahDqpeOmSSf.exeCode function: 18_2_00D8AEB3 PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Program Files\KpJyvHMNZETxtzalrrqjKObeddrRvGtbbowsrIOGEaIaHfxMwIqXdsfFhUjOGSL