Loading ...

Play interactive tourEdit tour

Analysis Report C&F.exe

Overview

General Information

Sample Name:C&F.exe
Analysis ID:296318
MD5:67633b0950101ba4edc4c7d3559820a7
SHA1:8d5ddb0f3cce4f300b4c2812211170ad7c7bc5e5
SHA256:aff4e29973c297fd764b3ba81237afd91912f51f9a4babfd766ce80f9ace2676
Tags:exe

Most interesting Screenshot:

Detection

HawkEye MailPassView Ramnit
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Ramnit
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Contains functionality to detect sleep reduction / modifications
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Keylogger Generic
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • C&F.exe (PID: 6640 cmdline: 'C:\Users\user\Desktop\C&F.exe' MD5: 67633B0950101BA4EDC4C7D3559820A7)
    • C&Fmgr.exe (PID: 6668 cmdline: C:\Users\user\Desktop\C&Fmgr.exe MD5: FE36FB1073E6F8FA14D7250501A29AAF)
    • C&F.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\C&F.exe' MD5: 67633B0950101BA4EDC4C7D3559820A7)
      • vbc.exe (PID: 7056 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD4D2.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 1344 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD480.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • C&F.exe (PID: 6796 cmdline: 'C:\Users\user\Desktop\C&F.exe' 2 6708 5027625 MD5: 67633B0950101BA4EDC4C7D3559820A7)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.500177942.00000000021F2000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x80f3a:$s2: _ScreenshotLogger
  • 0x80f07:$s3: _PasswordStealer
00000003.00000002.500177942.00000000021F2000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000001.00000002.241736769.0000000000400000.00000040.00020000.sdmpJoeSecurity_RamnitYara detected RamnitJoe Security
      00000001.00000002.241736769.0000000000400000.00000040.00020000.sdmpRamnitRamnit Payloadkevoreilly
      • 0x1527:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 ...
      • 0x75b6:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 ...
      • 0xfc06:$DGA: 33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 ...
      • 0x7851:$xor_loop: 83 7D 0C 00 74 27 83 7D 14 00 74 21 8B 4D 0C 8B 7D 08 8B 75 10 BA 00 00 00 00 0B D2 75 04 8B 55 ...
      • 0x5006:$id_string: {%08X-%04X-%04X-%04X-%08X%04X}
      • 0x21f84:$id_string: {%08X-%04X-%04X-%04X-%08X%04X}
      00000015.00000002.394519379.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x147b0:$a1: logins.json
      • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x14f34:$s4: \mozsqlite3.dll
      • 0x137a4:$s5: SMTP Password
      Click to see the 40 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.C&F.exe.22c0000.4.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x8113a:$s2: _ScreenshotLogger
      • 0x81107:$s3: _PasswordStealer
      3.2.C&F.exe.22c0000.4.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        3.2.C&F.exe.22c0000.4.unpackHawkEyev9HawkEye v9 Payloadditekshen
        • 0x81107:$str1: _PasswordStealer
        • 0x81118:$str2: _KeyStrokeLogger
        • 0x8113a:$str3: _ScreenshotLogger
        • 0x81129:$str4: _ClipboardLogger
        • 0x8114c:$str5: _WebCamLogger
        • 0x81261:$str6: _AntiVirusKiller
        • 0x8124f:$str7: _ProcessElevation
        • 0x81216:$str8: _DisableCommandPrompt
        • 0x8131c:$str9: _WebsiteBlocker
        • 0x8132c:$str9: _WebsiteBlocker
        • 0x81202:$str10: _DisableTaskManager
        • 0x8127d:$str11: _AntiDebugger
        • 0x81307:$str12: _WebsiteVisitorSites
        • 0x8122c:$str13: _DisableRegEdit
        • 0x8128b:$str14: _ExecutionDelay
        • 0x811b0:$str15: _InstallStartupPersistance
        3.1.C&F.exe.400000.0.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
        • 0x120222:$s2: _ScreenshotLogger
        • 0x1201ef:$s3: _PasswordStealer
        3.1.C&F.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Click to see the 32 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: C&F.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\Desktop\C&Fmgr.exeAvira: detection malicious, Label: W32/Ramnit.1198
          Found malware configurationShow sources
          Source: vbc.exe.7056.7.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\Desktop\C&Fmgr.exeMetadefender: Detection: 81%Perma Link
          Source: C:\Users\user\Desktop\C&Fmgr.exeReversingLabs: Detection: 97%
          Multi AV Scanner detection for submitted fileShow sources
          Source: C&F.exeReversingLabs: Detection: 91%
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\Desktop\C&Fmgr.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: C&F.exeJoe Sandbox ML: detected
          Source: 5.2.C&F.exe.400000.0.unpackAvira: Label: W32/Ramnit.C
          Source: 0.2.C&F.exe.400000.0.unpackAvira: Label: W32/Ramnit.C
          Source: 5.0.C&F.exe.400000.0.unpackAvira: Label: W32/Ramnit.C
          Source: 0.2.C&F.exe.2880000.2.unpackAvira: Label: TR/Dropper.Gen
          Source: 3.2.C&F.exe.22c0000.4.unpackAvira: Label: TR/Dropper.Gen
          Source: 0.0.C&F.exe.400000.0.unpackAvira: Label: W32/Ramnit.C
          Source: 3.2.C&F.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 1.2.C&Fmgr.exe.510000.1.unpackAvira: Label: W32/Ramnit.1198
          Source: 1.0.C&Fmgr.exe.400000.0.unpackAvira: Label: W32/Ramnit.1198
          Source: 3.2.C&F.exe.21f0000.3.unpackAvira: Label: TR/Dropper.Gen
          Source: 3.0.C&F.exe.400000.0.unpackAvira: Label: W32/Ramnit.C
          Source: 1.2.C&Fmgr.exe.400000.0.unpackAvira: Label: TR/Ramnif.aouen
          Source: C&Fmgr.exeBinary or memory string: autorun.inf
          Source: C&Fmgr.exeBinary or memory string: [autorun] action=Open icon=%%WinDir%%\system32\shell32.dll,4 shellexecute=%s shell\explore\command=%s USEAUTOPLAY=1 shell\Open\command=%s
          Source: C&Fmgr.exe, 00000001.00000002.241736769.0000000000400000.00000040.00020000.sdmpBinary or memory string: [autorun]
          Source: C&Fmgr.exe, 00000001.00000002.241736769.0000000000400000.00000040.00020000.sdmpBinary or memory string: //--></SCRIPT><!---->RmNautorun.infexecpl[autorun]
          Source: C&Fmgr.exe, 00000001.00000002.241736769.0000000000400000.00000040.00020000.sdmpBinary or memory string: //--></SCRIPT><!---->RmNautorun.infexecpl[autorun]
          Source: C:\Users\user\Desktop\C&F.exeCode function: 0_2_004088EC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_004088EC
          Source: C:\Users\user\Desktop\C&F.exeCode function: 0_2_00405A04 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405A04
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_004011F8 FindClose,FindFirstFileA,FindClose,1_2_004011F8
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_004088EC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,5_2_004088EC
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_00405A04 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,5_2_00405A04

          Networking:

          barindex
          May check the online IP address of the machineShow sources
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: global trafficTCP traffic: 192.168.2.7:49726 -> 54.39.139.67:587
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 54.39.139.67 54.39.139.67
          Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
          Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
          Source: global trafficTCP traffic: 192.168.2.7:49726 -> 54.39.139.67:587
          Source: C:\Users\user\Desktop\C&F.exeCode function: 3_2_023CA186 recv,3_2_023CA186
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
          Source: C&F.exe, 00000003.00000003.235963056.0000000004293000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.260876179.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: C&F.exe, 00000003.00000003.235963056.0000000004293000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.260876179.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: vbc.exe, 00000007.00000003.259976138.00000000009F1000.00000004.00000001.sdmpString found in binary or memory: Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=294&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=162&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginhrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2f
          Source: vbc.exe, 00000007.00000003.259976138.00000000009F1000.00000004.00000001.sdmpString found in binary or memory: Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=294&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=162&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginhrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2f
          Source: vbc.exe, 00000007.00000003.259940577.00000000009EF000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=
          Source: vbc.exe, 00000007.00000003.259940577.00000000009EF000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=
          Source: vbc.exe, 00000007.00000003.259525801.00000000009F0000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=
          Source: vbc.exe, 00000007.00000003.259525801.00000000009F0000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=
          Source: vbc.exe, 00000007.00000002.262384413.00000000009F2000.00000004.00000001.sdmpString found in binary or memory: tus=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginhrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorize equals www.facebook.com (Facebook)
          Source: vbc.exe, 00000007.00000002.262384413.00000000009F2000.00000004.00000001.sdmpString found in binary or memory: tus=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginhrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorize equals www.yahoo.com (Yahoo)
          Source: unknownDNS traffic detected: queries for: 194.167.4.0.in-addr.arpa
          Source: C&F.exe, 00000003.00000002.507023162.0000000002C36000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
          Source: C&F.exe, 00000003.00000002.505213294.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
          Source: C&F.exe, 00000003.00000002.506556539.0000000002BEE000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.comx&.q
          Source: C&F.exe, 00000003.00000002.512981729.00000000081C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
          Source: C&F.exe, 00000003.00000002.512981729.00000000081C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: C&F.exe, 00000003.00000002.512981729.00000000081C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
          Source: C&F.exe, 00000003.00000002.512981729.00000000081C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
          Source: C&F.exe, 00000003.00000002.512981729.00000000081C0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: C&F.exeString found in binary or memory: http://pomf.cat/upload.php
          Source: C&F.exe, 00000000.00000002.240721672.0000000002882000.00000040.00000001.sdmp, C&F.exe, 00000003.00000002.500177942.00000000021F2000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
          Source: C&F.exe, 00000003.00000002.505213294.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
          Source: vbc.exe, 00000007.00000002.262293741.000000000071E000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: vbc.exe, 00000007.00000002.262231830.0000000000708000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEMh
          Source: vbc.exe, 00000007.00000002.262231830.0000000000708000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMp
          Source: vbc.exe, 00000007.00000002.260720295.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
          Source: vbc.exe, 00000015.00000002.394519379.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: vbc.exe, 00000007.00000002.262293741.000000000071E000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542117
          Source: vbc.exe, 00000007.00000002.262293741.000000000071E000.00000004.00000020.sdmp, vbc.exe, 00000007.00000003.259976138.00000000009F1000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215
          Source: vbc.exe, 00000007.00000002.262293741.000000000071E000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
          Source: C&F.exe, 00000003.00000002.505213294.0000000002A33000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
          Source: vbc.exe, 00000007.00000002.262293741.000000000071E000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=
          Source: vbc.exe, 00000007.00000003.260054243.00000000009EF000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.259525801.00000000009F0000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.259940577.00000000009EF000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
          Source: vbc.exe, 00000007.00000002.262384413.00000000009F2000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1res://C:
          Source: vbc.exe, 00000007.00000002.262293741.000000000071E000.00000004.00000020.sdmpString found in binary or memory: https://go.microsoft.
          Source: vbc.exe, 00000007.00000003.258656231.00000000009F0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wre
          Source: vbc.exe, 00000007.00000002.262293741.000000000071E000.00000004.00000020.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
          Source: C&F.exe, 00000003.00000002.512981729.00000000081C0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
          Source: vbc.exe, 00000007.00000002.262231830.0000000000708000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/
          Source: vbc.exe, 00000007.00000002.262293741.000000000071E000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/ima

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 00000003.00000002.500177942.00000000021F2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.240721672.0000000002882000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.240792664.000000000291F000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.233355502.00000000004C7000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.497067344.000000000049F000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.499886846.0000000002160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.496517531.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.500602613.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.505227778.0000000002A39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: C&F.exe PID: 6708, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: C&F.exe PID: 6640, type: MEMORY
          Source: Yara matchFile source: 3.2.C&F.exe.22c0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.C&F.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.C&F.exe.2160000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.C&F.exe.2160000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.C&F.exe.2880000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.C&F.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.C&F.exe.21f0000.3.unpack, type: UNPACKEDPE
          Yara detected RamnitShow sources
          Source: Yara matchFile source: 00000001.00000002.241736769.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: C&Fmgr.exe PID: 6668, type: MEMORY
          Source: Yara matchFile source: 1.2.C&Fmgr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C&Fmgr.exe.400000.0.unpack, type: UNPACKEDPE
          Yara detected Keylogger GenericShow sources
          Source: Yara matchFile source: Process Memory Space: C&F.exe PID: 6640, type: MEMORY
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_00406FC2 OpenClipboard,5_2_00406FC2
          Source: C:\Users\user\Desktop\C&F.exeCode function: 0_2_0043335C GetClipboardData,GlobalFix,GlobalUnWire,0_2_0043335C
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_00423DB4 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,5_2_00423DB4
          Source: C:\Users\user\Desktop\C&F.exeCode function: 0_2_0043B020 GetKeyboardState,0_2_0043B020
          Source: C&F.exe, 00000000.00000002.238309167.000000000088A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected RamnitShow sources
          Source: Yara matchFile source: 00000001.00000002.241736769.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: C&Fmgr.exe PID: 6668, type: MEMORY
          Source: Yara matchFile source: 1.2.C&Fmgr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C&Fmgr.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.500177942.00000000021F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000001.00000002.241736769.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Ramnit Payload Author: kevoreilly
          Source: 00000015.00000002.394519379.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 00000000.00000002.240721672.0000000002882000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000000.00000002.240792664.000000000291F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000003.00000001.233355502.00000000004C7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000003.00000002.497067344.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000003.00000002.499886846.0000000002160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000003.00000002.499886846.0000000002160000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 00000003.00000002.496517531.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000003.00000002.500602613.00000000022C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000003.00000002.505227778.0000000002A39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000003.00000002.505008957.0000000002970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: Process Memory Space: C&F.exe PID: 6708, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: Process Memory Space: C&F.exe PID: 6640, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 3.2.C&F.exe.22c0000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 3.2.C&F.exe.22c0000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 3.1.C&F.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 3.1.C&F.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 21.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 1.2.C&Fmgr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Ramnit Payload Author: kevoreilly
          Source: 3.2.C&F.exe.2160000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 3.2.C&F.exe.2160000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 3.2.C&F.exe.2160000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 3.2.C&F.exe.2160000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 3.2.C&F.exe.2970000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0.2.C&F.exe.2880000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0.2.C&F.exe.2880000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 3.2.C&F.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 3.2.C&F.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.C&Fmgr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Ramnit Payload Author: kevoreilly
          Source: 21.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 3.2.C&F.exe.2970000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 3.2.C&F.exe.21f0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 3.2.C&F.exe.21f0000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          PE file has a writeable .text sectionShow sources
          Source: C&F.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\C&F.exeCode function: 0_2_0043DF58 NtdllDefWindowProc_A,GetCapture,0_2_0043DF58
          Source: C:\Users\user\Desktop\C&F.exeCode function: 0_2_0044DC44 GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044DC44
          Source: C:\Users\user\Desktop\C&F.exeCode function: 0_2_0042FD30 NtdllDefWindowProc_A,0_2_0042FD30
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_00401B50 NtQuerySystemInformation,1_2_00401B50
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_00401B34 NtQueryInformationProcess,1_2_00401B34
          Source: C:\Users\user\Desktop\C&F.exeCode function: 3_2_00498159 NtCreateSection,3_2_00498159
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_00459074 NtdllDefWindowProc_A,5_2_00459074
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_0043DF58 NtdllDefWindowProc_A,GetCapture,5_2_0043DF58
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_004597F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,5_2_004597F0
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_004598A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,5_2_004598A0
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_0044DC44 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,5_2_0044DC44
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_0042FD30 NtdllDefWindowProc_A,5_2_0042FD30
          Source: C:\Users\user\Desktop\C&F.exeCode function: 0_2_004537480_2_00453748
          Source: C:\Users\user\Desktop\C&F.exeCode function: 0_2_0044DC440_2_0044DC44
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_004191791_2_00419179
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_0041BA781_2_0041BA78
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_004122D51_2_004122D5
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_00418B5F1_2_00418B5F
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_00411B241_2_00411B24
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_004193AF1_2_004193AF
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_0041840F1_2_0041840F
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_00417CDF1_2_00417CDF
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_0041AD451_2_0041AD45
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_00416D541_2_00416D54
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_0041C6B61_2_0041C6B6
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_004167DD1_2_004167DD
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_004197B41_2_004197B4
          Source: C:\Users\user\Desktop\C&F.exeCode function: 3_2_00444A663_2_00444A66
          Source: C:\Users\user\Desktop\C&F.exeCode function: 3_2_004919763_2_00491976
          Source: C:\Users\user\Desktop\C&F.exeCode function: 3_2_0049713D3_2_0049713D
          Source: C:\Users\user\Desktop\C&F.exeCode function: 3_2_004E1D4E3_2_004E1D4E
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_0041E21E5_2_0041E21E
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_0046AB9C5_2_0046AB9C
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_00464D385_2_00464D38
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_004537485_2_00453748
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_0044DC445_2_0044DC44
          Source: C:\Users\user\Desktop\C&F.exeCode function: 5_2_00411C0F5_2_00411C0F
          Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\C&Fmgr.exe F34E5AF97CCB3574F7D5343246138DAF979BFD1F9C37590E9A41F6420DDB3BB6
          Source: C:\Users\user\Desktop\C&F.exeCode function: String function: 004068A4 appears 31 times
          Source: C:\Users\user\Desktop\C&F.exeCode function: String function: 004042AC appears 79 times
          Source: C:\Users\user\Desktop\C&F.exeCode function: String function: 0040390C appears 40 times
          Source: C&Fmgr.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: ~TMB479.tmp.1.drStatic PE information: No import functions for PE file found
          Source: C&F.exeBinary or memory string: OriginalFilename vs C&F.exe
          Source: C&F.exe, 00000000.00000002.238139464.0000000000860000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs C&F.exe
          Source: C&F.exe, 00000000.00000002.240721672.0000000002882000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs C&F.exe
          Source: C&F.exe, 00000000.00000002.236948248.0000000000517000.00000040.00020000.sdmpBinary or memory string: OriginalFilename vs C&F.exe
          Source: C&F.exe, 00000000.00000002.236915996.0000000000515000.00000004.00020000.sdmpBinary or memory string: OriginalFilename$ vs C&F.exe
          Source: C&F.exeBinary or memory string: OriginalFilename vs C&F.exe
          Source: C&F.exe, 00000003.00000000.232544844.0000000000515000.00000008.00020000.sdmpBinary or memory string: OriginalFilename$ vs C&F.exe
          Source: C&F.exe, 00000003.00000002.500177942.00000000021F2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs C&F.exe
          Source: C&F.exe, 00000003.00000002.512439650.0000000007900000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmiutils.dll.muij% vs C&F.exe
          Source: C&F.exe, 00000003.00000003.235963056.0000000004293000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs C&F.exe
          Source: C&F.exe, 00000003.00000002.512716877.0000000007D50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs C&F.exe
          Source: C&F.exe, 00000003.00000002.499621141.0000000000740000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs C&F.exe
          Source: C&F.exeBinary or memory string: OriginalFilename vs C&F.exe
          Source: C&F.exe, 00000005.00000002.497477544.0000000000515000.00000004.00020000.sdmpBinary or memory string: OriginalFilename$ vs C&F.exe
          Source: C&F.exe, 00000005.00000002.498524162.0000000000810000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs C&F.exe
          Source: C&F.exe, 00000005.00000002.497537908.0000000000517000.00000040.00020000.sdmpBinary or memory string: OriginalFilename vs C&F.exe
          Source: C&F.exeBinary or memory string: OriginalFilename$ vs C&F.exe
          Source: 00000003.00000002.500177942.00000000021F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000001.00000002.241736769.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Ramnit author = kevoreilly, description = Ramnit Payload, cape_type = Ramnit Payload
          Source: 00000015.00000002.394519379.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 00000000.00000002.240721672.0000000002882000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.240792664.000000000291F000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000001.233355502.00000000004C7000.00000040.00020000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.497067344.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.499886846.0000000002160000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.499886846.0000000002160000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 00000003.00000002.496517531.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.500602613.00000000022C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.505227778.0000000002A39000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.505008957.0000000002970000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: Process Memory Space: C&F.exe PID: 6708, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Process Memory Space: C&F.exe PID: 6708, type: MEMORYMatched rule: CobaltStrike_C2_Host_Indicator date = 2019-08-16, author = yara@s3c.za.net, description = Detects CobaltStrike C2 host artifacts
          Source: Process Memory Space: C&F.exe PID: 6640, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.C&F.exe.22c0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.C&F.exe.22c0000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 3.1.C&F.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.1.C&F.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 21.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 1.2.C&Fmgr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Ramnit author = kevoreilly, description = Ramnit Payload, cape_type = Ramnit Payload
          Source: 3.2.C&F.exe.2160000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.C&F.exe.2160000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 3.2.C&F.exe.2160000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.C&F.exe.2160000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 3.2.C&F.exe.2970000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0.2.C&F.exe.2880000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.C&F.exe.2880000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 3.2.C&F.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.C&F.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.C&Fmgr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Ramnit author = kevoreilly, description = Ramnit Payload, cape_type = Ramnit Payload
          Source: 21.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 3.2.C&F.exe.2970000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 3.2.C&F.exe.21f0000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.C&F.exe.21f0000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: C&F.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 3.2.C&F.exe.22c0000.4.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 3.2.C&F.exe.22c0000.4.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 3.2.C&F.exe.22c0000.4.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 3.2.C&F.exe.22c0000.4.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 3.2.C&F.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 3.2.C&F.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 3.2.C&F.exe.400000.0.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 3.2.C&F.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 3.2.C&F.exe.21f0000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 3.2.C&F.exe.21f0000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 3.2.C&F.exe.21f0000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 3.2.C&F.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 3.2.C&F.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 3.2.C&F.exe.21f0000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 3.2.C&F.exe.21f0000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 3.2.C&F.exe.21f0000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 3.2.C&F.exe.21f0000.3.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 3.2.C&F.exe.22c0000.4.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 3.2.C&F.exe.22c0000.4.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 3.2.C&F.exe.21f0000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 3.2.C&F.exe.21f0000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 3.2.C&F.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 3.2.C&F.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 3.2.C&F.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 3.2.C&F.exe.22c0000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 3.2.C&F.exe.22c0000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 3.2.C&F.exe.22c0000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 3.2.C&F.exe.400000.0.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 3.2.C&F.exe.22c0000.4.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: ~TMB479.tmp.1.drBinary string: \Device\IPT
          Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@11/4@5/2
          Source: C:\Users\user\Desktop\C&F.exeCode function: 0_2_00420744 GetLastError,FormatMessageA,0_2_00420744
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_00401755 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,1_2_00401755
          Source: C:\Users\user\Desktop\C&F.exeCode function: 0_2_00408A64 GetDiskFreeSpaceA,0_2_00408A64
          Source: C:\Users\user\Desktop\C&Fmgr.exeCode function: 1_2_00402395 CreateToolhelp32Snapshot,Process32First,lstrcmpi,Process32Next,CloseHandle,1_2_00402395
          Source: C:\Users\user\Desktop\C&F.exeCode function: 0_2_00413A98 FindResourceA,0_2_00413A98
          Source: C:\Users\user\Desktop\C&F.exeFile created: C:\Users\user\Desktop\C&Fmgr.exeJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Users\user\Desktop\C&F.exeMutant created: \Sessions\1\BaseNamedObjects\f98d37f4-ca90-4ed7-9f6f-6121c4014605
          Source: C:\Users\user\Desktop\C&Fmgr.exeFile created: C:\Users\user~1\AppData\Local\Temp\~TMB479.tmpJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Users\user\Desktop\C&F.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Users\user\Desktop\C&F.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Users\user\Desktop\C&F.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C&F.exe, 00000003.00000003.235963056.0000000004293000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.260876179.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: C&F.exe, 00000003.00000003.235963056.0000000004293000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.260876179.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: C&F.exe, 00000003.00000003.235963056.0000000004293000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.260876179.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: C&F.exe, 00000003.00000003.235963056.0000000004293000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.260876179.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: C&F.exe, 00000003.00000003.235963056.0000000004293000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.260876179.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: C&F.exe, 00000003.00000003.235963056.0000000004293000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.260876179.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: C&F.exe, 00000003.00000003.235963056.0000000004293000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.260876179.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: C&F.exeReversingLabs: Detection: 91%
          Source: unknownProcess created: C:\Users\user\Desktop\C&F.exe 'C:\Users\user\Desktop\C&F.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\C&Fmgr.exe C:\Users\user\Desktop\C&Fmgr.exe
          Source: unknownProcess created: C:\Users\user\Desktop\C&F.exe 'C:\Users\user\Desktop\C&F.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\C&F.exe 'C:\Users\user\Desktop\C&F.exe' 2 6708 5027625
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD4D2.tmp'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD480.tmp'
          Source: C:\Users\user\Desktop\C&F.exeProcess created: C:\Users\user\Desktop\C&Fmgr.exe C:\Users\user\Desktop\C&Fmgr.exeJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeProcess created: C:\Users\user\Desktop\C&F.exe 'C:\Users\user\Desktop\C&F.exe' Jump to behavior
          Source: C:\Users\user\Desktop\C&F.exeProcess created: C:\Users\user\Desktop\C&F.exe 'C:\Users\user\Desktop\C&F.exe' 2 6708 5027625Jump to behavior
          Source: C:\Users\user\Desktop\C&F.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD4D2.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\C&F.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD480.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\C&F.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\C&F.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
          Source: C:\Users\user\Desktop\C&F.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: C&F.exe, 00000003.00000003.235963056.0000000004293000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.260876179.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: C&Fmgr.exe, 00000001.00000002.243830136.000000006D991000.00000020.00020000.sdmp, ~TMB479.tmp.1.dr
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: C&F.exe, 00000003.00000003.235963056.0000000004293000.00000004.00000001.sdmp, vbc.exe, 00000015.00000002.394519379.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: C&Fmgr.exe, 00000001.00000002.243830136.000000006D991000.00000020.00020000.sdmp, ~TMB479.tmp.1.dr

          Data Obfuscation:

          barindex
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0xC8733C73 [Sun Jul 26 13:21:55 2076 UTC]
          Source: C:\Users\user\Desktop\C&F.exeCode function: 0_2_00517006 LoadLibraryA,GetProcAddress,GetModuleFileNameA,FreeLibrary,0_2_00517006
          Source: ~TMB479.tmp.1.drStatic PE information: section name: RT
          Source: ~TMB479.tmp.1.drStatic PE information: section name: .mrdata
          Source: ~TMB479.tmp.1.drStatic PE information: section name: .00cfg
          Source: C:\Users\user\Desktop\C&F.exe