Loading ...

Play interactive tourEdit tour

Analysis Report CF.exe

Overview

General Information

Sample Name:CF.exe
Analysis ID:296647
MD5:2eedf37ed7d943d6a255912e7e14ae49
SHA1:b0cdfe5a254ef6d13e83461b6a04c91cc0c88d13
SHA256:44f88f1551622a78e7e0cb6cb04b810ce4c58a1dbd6039b1f7248b579e8f9095
Tags:exe

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected Keylogger Generic
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • CF.exe (PID: 7156 cmdline: 'C:\Users\user\Desktop\CF.exe' MD5: 2EEDF37ED7D943D6A255912E7E14AE49)
    • CF.exe (PID: 5680 cmdline: 'C:\Users\user\Desktop\CF.exe' MD5: 2EEDF37ED7D943D6A255912E7E14AE49)
      • vbc.exe (PID: 3360 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp25D5.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • BackgroundTransferHost.exe (PID: 6508 cmdline: 'BackgroundTransferHost.exe' -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
      • vbc.exe (PID: 6508 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1E7E.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • CF.exe (PID: 4908 cmdline: 'C:\Users\user\Desktop\CF.exe' 2 5680 5640125 MD5: 2EEDF37ED7D943D6A255912E7E14AE49)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.206692308.0000000004412000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x80f3a:$s2: _ScreenshotLogger
  • 0x80f07:$s3: _PasswordStealer
00000000.00000002.206692308.0000000004412000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000003.00000002.221425548.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000001.00000002.475358527.0000000002B09000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x8e207:$s2: _ScreenshotLogger
      • 0x8e753:$s2: _ScreenshotLogger
      • 0x8e1d4:$s3: _PasswordStealer
      • 0x8e720:$s3: _PasswordStealer
      00000001.00000002.475358527.0000000002B09000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        Click to see the 35 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.CF.exe.2300000.4.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
        • 0x8113a:$s2: _ScreenshotLogger
        • 0x81107:$s3: _PasswordStealer
        1.2.CF.exe.2300000.4.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          1.2.CF.exe.2300000.4.unpackHawkEyev9HawkEye v9 Payloadditekshen
          • 0x81107:$str1: _PasswordStealer
          • 0x81118:$str2: _KeyStrokeLogger
          • 0x8113a:$str3: _ScreenshotLogger
          • 0x81129:$str4: _ClipboardLogger
          • 0x8114c:$str5: _WebCamLogger
          • 0x81261:$str6: _AntiVirusKiller
          • 0x8124f:$str7: _ProcessElevation
          • 0x81216:$str8: _DisableCommandPrompt
          • 0x8131c:$str9: _WebsiteBlocker
          • 0x8132c:$str9: _WebsiteBlocker
          • 0x81202:$str10: _DisableTaskManager
          • 0x8127d:$str11: _AntiDebugger
          • 0x81307:$str12: _WebsiteVisitorSites
          • 0x8122c:$str13: _DisableRegEdit
          • 0x8128b:$str14: _ExecutionDelay
          • 0x811b0:$str15: _InstallStartupPersistance
          16.2.vbc.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x147b0:$a1: logins.json
          • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x14f34:$s4: \mozsqlite3.dll
          • 0x137a4:$s5: SMTP Password
          16.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            Click to see the 28 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: CF.exeAvira: detected
            Found malware configurationShow sources
            Source: vbc.exe.3360.3.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
            Multi AV Scanner detection for domain / URLShow sources
            Source: eagleeyeapparels.comVirustotal: Detection: 11%Perma Link
            Source: mail.eagleeyeapparels.comVirustotal: Detection: 10%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: CF.exeVirustotal: Detection: 58%Perma Link
            Source: CF.exeReversingLabs: Detection: 62%
            Source: 0.2.CF.exe.43a0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 1.2.CF.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 1.2.CF.exe.2260000.3.unpackAvira: Label: TR/Dropper.Gen
            Source: 1.2.CF.exe.2300000.4.unpackAvira: Label: TR/Dropper.Gen
            Source: 0.2.CF.exe.4410000.3.unpackAvira: Label: TR/Dropper.Gen
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00408808 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408808
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_004059B4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_004059B4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040A1A7 FindFirstFileW,FindNextFileW,3_2_0040A1A7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,16_2_0040702D

            Networking:

            barindex
            May check the online IP address of the machineShow sources
            Source: unknownDNS query: name: bot.whatismyipaddress.com
            Source: unknownDNS query: name: bot.whatismyipaddress.com
            Source: unknownDNS query: name: bot.whatismyipaddress.com
            Source: unknownDNS query: name: bot.whatismyipaddress.com
            Source: unknownDNS query: name: bot.whatismyipaddress.com
            Source: global trafficTCP traffic: 192.168.2.3:49731 -> 54.39.139.67:587
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
            Source: Joe Sandbox ViewIP Address: 54.39.139.67 54.39.139.67
            Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
            Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: global trafficTCP traffic: 192.168.2.3:49731 -> 54.39.139.67:587
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_023BA186 recv,1_2_023BA186
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
            Source: CF.exe, 00000001.00000002.473006630.0000000002510000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.221425548.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: CF.exe, 00000001.00000002.473006630.0000000002510000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.221425548.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000003.00000003.221273721.000000000095F000.00000004.00000001.sdmpString found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000003.00000003.221273721.000000000095F000.00000004.00000001.sdmpString found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: 220.240.8.0.in-addr.arpa
            Source: CF.exe, 00000001.00000002.476047145.0000000002D06000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
            Source: CF.exe, 00000001.00000002.475318555.0000000002B03000.00000004.00000001.sdmp, CF.exe, 00000001.00000002.476047145.0000000002D06000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
            Source: CF.exe, 00000001.00000002.475824521.0000000002CBE000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.comx&
            Source: CF.exe, 00000001.00000002.479385320.00000000080C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: CF.exe, 00000001.00000002.479385320.00000000080C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: CF.exe, 00000001.00000002.479385320.00000000080C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: CF.exe, 00000001.00000002.479385320.00000000080C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
            Source: CF.exe, 00000001.00000002.479385320.00000000080C0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: CF.exeString found in binary or memory: http://pomf.cat/upload.php
            Source: CF.exe, 00000000.00000002.206692308.0000000004412000.00000040.00000001.sdmp, CF.exe, 00000001.00000002.470354451.000000000049F000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
            Source: CF.exe, 00000001.00000002.475318555.0000000002B03000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
            Source: vbc.exe, 00000003.00000002.221409901.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
            Source: vbc.exe, vbc.exe, 00000010.00000002.355075023.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: CF.exe, 00000001.00000002.475318555.0000000002B03000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: CF.exe, 00000001.00000002.479385320.00000000080C0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000000.00000002.206692308.0000000004412000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.475358527.0000000002B09000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.470354451.000000000049F000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.471807402.0000000002262000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.471984081.0000000002302000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.470043277.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.206905724.00000000044AF000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.471717069.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CF.exe PID: 7156, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CF.exe PID: 5680, type: MEMORY
            Source: Yara matchFile source: 1.2.CF.exe.2300000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.CF.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.CF.exe.43a0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.CF.exe.21d0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.CF.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.CF.exe.2260000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.CF.exe.4410000.3.unpack, type: UNPACKEDPE
            Yara detected Keylogger GenericShow sources
            Source: Yara matchFile source: Process Memory Space: CF.exe PID: 5680, type: MEMORY
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040FDCB OpenClipboard,GetLastError,DeleteFileW,3_2_0040FDCB
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_004233DC GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_004233DC
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00436828 GetKeyboardState,0_2_00436828
            Source: CF.exe, 00000000.00000002.205938774.00000000008D8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000000.00000002.206692308.0000000004412000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.475358527.0000000002B09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.473006630.0000000002510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000001.00000002.470354451.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000010.00000002.355075023.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000001.00000002.471807402.0000000002262000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.471984081.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.470043277.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000000.00000002.206905724.00000000044AF000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.471717069.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.471717069.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: Process Memory Space: CF.exe PID: 7156, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: CF.exe PID: 5680, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.CF.exe.2300000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.CF.exe.2300000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.CF.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.CF.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 0.2.CF.exe.43a0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.CF.exe.43a0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 1.2.CF.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.CF.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 1.2.CF.exe.2510000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.CF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.CF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 1.2.CF.exe.2260000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.CF.exe.2260000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 0.2.CF.exe.4410000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.CF.exe.4410000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 1.2.CF.exe.2510000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_004545BC NtdllDefWindowProc_A,0_2_004545BC
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00439760 NtdllDefWindowProc_A,GetCapture,0_2_00439760
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00454D38 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00454D38
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00454DE8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00454DE8
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0042D1C4 NtdllDefWindowProc_A,0_2_0042D1C4
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0044918C GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044918C
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_00498159 NtCreateSection,1_2_00498159
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024FCD6F NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_024FCD6F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,3_2_0040A5A9
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_004602FC0_2_004602FC
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_004665F40_2_004665F4
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0044EC900_2_0044EC90
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0044918C0_2_0044918C
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00411B030_2_00411B03
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_00444A661_2_00444A66
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_004919761_2_00491976
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_0049713D1_2_0049713D
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_004E1D4E1_2_004E1D4E
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F1C581_2_024F1C58
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F7E501_2_024F7E50
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024FB2681_2_024FB268
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F32601_2_024F3260
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024FC2781_2_024FC278
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024FBA181_2_024FBA18
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024FAAC81_2_024FAAC8
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F74C01_2_024F74C0
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F0C901_2_024F0C90
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F8B501_2_024F8B50
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024FB5781_2_024FB578
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024FAF2B1_2_024FAF2B
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F79C81_2_024F79C8
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F3FD81_2_024F3FD8
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F4FE01_2_024F4FE0
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024FBBA91_2_024FBBA9
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F32501_2_024F3250
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F24611_2_024F2461
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024FBA091_2_024FBA09
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F7E001_2_024F7E00
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F08281_2_024F0828
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F343B1_2_024F343B
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F34311_2_024F3431
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F32DA1_2_024F32DA
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F38D01_2_024F38D0
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F32F31_2_024F32F3
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F32A11_2_024F32A1
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F60A01_2_024F60A0
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F74B21_2_024F74B2
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F60B01_2_024F60B0
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F8B401_2_024F8B40
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F33591_2_024F3359
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F3B581_2_024F3B58
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F39681_2_024F3968
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F3B681_2_024F3B68
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F25681_2_024F2568
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F25781_2_024F2578
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F1B721_2_024F1B72
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F333F1_2_024F333F
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F7F321_2_024F7F32
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F3FC91_2_024F3FC9
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F2FC81_2_024F2FC8
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F53C81_2_024F53C8
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F5FE41_2_024F5FE4
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F69821_2_024F6982
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F33801_2_024F3380
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F2FB91_2_024F2FB9
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F79B91_2_024F79B9
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_024F53B71_2_024F53B7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004360CE3_2_004360CE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040509C3_2_0040509C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004051993_2_00405199
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0043C2D03_2_0043C2D0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004404063_2_00440406
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040451D3_2_0040451D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004045FF3_2_004045FF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040458E3_2_0040458E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004046903_2_00404690
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00414A513_2_00414A51
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00404C083_2_00404C08
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00406C8E3_2_00406C8E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00415DF33_2_00415DF3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00416E5C3_2_00416E5C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00410FE43_2_00410FE4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404DE516_2_00404DE5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404E5616_2_00404E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404EC716_2_00404EC7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404F5816_2_00404F58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040BF6B16_2_0040BF6B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00445190 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416849 appears 66 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0040924D appears 31 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004166E8 appears 34 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416A91 appears 88 times
            Source: C:\Users\user\Desktop\CF.exeCode function: String function: 0040425C appears 81 times
            Source: C:\Users\user\Desktop\CF.exeCode function: String function: 004038BC appears 36 times
            Source: C:\Users\user\Desktop\CF.exeCode function: String function: 004034F0 appears 32 times
            Source: CF.exeStatic PE information: Resource name: RT_HTML type: COM executable for DOS
            Source: CF.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: CF.exe, 00000000.00000002.206692308.0000000004412000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs CF.exe
            Source: CF.exe, 00000000.00000000.202355660.000000000048C000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$ vs CF.exe
            Source: CF.exe, 00000000.00000002.205911053.0000000000820000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs CF.exe
            Source: CF.exeBinary or memory string: OriginalFilename vs CF.exe
            Source: CF.exe, 00000001.00000002.475358527.0000000002B09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs CF.exe
            Source: CF.exe, 00000001.00000002.473006630.0000000002510000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs CF.exe
            Source: CF.exe, 00000001.00000002.478685381.0000000007800000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmiutils.dll.muij% vs CF.exe
            Source: CF.exe, 00000001.00000000.203753941.000000000048C000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$ vs CF.exe
            Source: CF.exe, 00000001.00000002.479140761.0000000007C50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs CF.exe
            Source: CF.exe, 00000002.00000000.205344130.000000000048C000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$ vs CF.exe
            Source: CF.exeBinary or memory string: OriginalFilename$ vs CF.exe
            Source: 00000000.00000002.206692308.0000000004412000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.475358527.0000000002B09000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.473006630.0000000002510000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000001.00000002.470354451.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000010.00000002.355075023.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000001.00000002.471807402.0000000002262000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.471984081.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.470043277.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.206905724.00000000044AF000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.471717069.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.471717069.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: Process Memory Space: CF.exe PID: 7156, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: Process Memory Space: CF.exe PID: 5680, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: Process Memory Space: CF.exe PID: 5680, type: MEMORYMatched rule: CobaltStrike_C2_Host_Indicator date = 2019-08-16, author = yara@s3c.za.net, description = Detects CobaltStrike C2 host artifacts
            Source: 1.2.CF.exe.2300000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.CF.exe.2300000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.CF.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.CF.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 0.2.CF.exe.43a0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.CF.exe.43a0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 1.2.CF.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.CF.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 1.2.CF.exe.2510000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.CF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.CF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 1.2.CF.exe.2260000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.CF.exe.2260000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 0.2.CF.exe.4410000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.CF.exe.4410000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 1.2.CF.exe.2510000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 0.2.CF.exe.4410000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.CF.exe.4410000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.2.CF.exe.4410000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.CF.exe.4410000.3.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.CF.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.CF.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
            Source: 1.2.CF.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.CF.exe.400000.0.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.CF.exe.2260000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.CF.exe.2260000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
            Source: 1.2.CF.exe.2260000.3.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.CF.exe.4410000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 0.2.CF.exe.4410000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 0.2.CF.exe.4410000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 0.2.CF.exe.4410000.3.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 1.2.CF.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 1.2.CF.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 1.2.CF.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 1.2.CF.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 1.2.CF.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 1.2.CF.exe.2260000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 1.2.CF.exe.2260000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.CF.exe.4410000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 0.2.CF.exe.4410000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 1.2.CF.exe.2260000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 1.2.CF.exe.2260000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 1.2.CF.exe.2260000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 1.2.CF.exe.400000.0.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 1.2.CF.exe.2260000.3.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@10/2@3/3
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_004204F4 GetLastError,FormatMessageA,0_2_004204F4
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_078132F2 AdjustTokenPrivileges,1_2_078132F2
            Source: C:\Users\user\Desktop\CF.exeCode function: 1_2_078132BB AdjustTokenPrivileges,1_2_078132BB
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00408980 GetDiskFreeSpaceA,0_2_00408980
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,3_2_00413C19
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00413958 FindResourceA,0_2_00413958
            Source: C:\Users\user\Desktop\CF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Users\user\Desktop\CF.exeMutant created: \Sessions\1\BaseNamedObjects\f98d37f4-ca90-4ed7-9f6f-6121c4014605
            Source: C:\Users\user\Desktop\CF.exeFile created: C:\Users\user\AppData\Local\Temp\01e864aa-fa9b-c261-ff81-b3cc7f79a6d3Jump to behavior
            Source: C:\Users\user\Desktop\CF.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\CF.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\CF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\CF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\CF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
            Source: C:\Users\user\Desktop\CF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Users\user\Desktop\CF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Users\user\Desktop\CF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
            Source: C:\Users\user\Desktop\CF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\CF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\CF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: CF.exe, 00000001.00000002.473006630.0000000002510000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: CF.exe, 00000001.00000002.473006630.0000000002510000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: CF.exe, 00000001.00000002.473006630.0000000002510000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.221425548.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: CF.exe, 00000001.00000002.473006630.0000000002510000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: CF.exe, 00000001.00000002.473006630.0000000002510000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: CF.exe, 00000001.00000002.473006630.0000000002510000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: CF.exe, 00000001.00000002.473006630.0000000002510000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: CF.exeVirustotal: Detection: 58%
            Source: CF.exeReversingLabs: Detection: 62%
            Source: unknownProcess created: C:\Users\user\Desktop\CF.exe 'C:\Users\user\Desktop\CF.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\CF.exe 'C:\Users\user\Desktop\CF.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\CF.exe 'C:\Users\user\Desktop\CF.exe' 2 5680 5640125
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp25D5.tmp'
            Source: unknownProcess created: C:\Windows\System32\BackgroundTransferHost.exe 'BackgroundTransferHost.exe' -ServerName:BackgroundTransferHost.1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1E7E.tmp'
            Source: C:\Users\user\Desktop\CF.exeProcess created: C:\Users\user\Desktop\CF.exe 'C:\Users\user\Desktop\CF.exe' Jump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess created: C:\Users\user\Desktop\CF.exe 'C:\Users\user\Desktop\CF.exe' 2 5680 5640125Jump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp25D5.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe 'BackgroundTransferHost.exe' -ServerName:BackgroundTransferHost.1Jump to behavior
            Source: C:\Users\user\Desktop\CF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\CF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: CF.exeStatic file information: File size 1052672 > 1048576
            Source: C:\Users\user\Desktop\CF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: CF.exe, 00000001.00000002.473006630.0000000002510000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: CF.exe, 00000001.00000002.473006630.0000000002510000.00000004.00000001.sdmp, vbc.exe

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\CF.exeUnpacked PE file: 1.2.CF.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
            Detected unpacking (creates a PE file in dynamic memory)Show sources
            Source: C:\Users\user\Desktop\CF.exeUnpacked PE file: 1.2.CF.exe.2300000.4.unpack
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\CF.exeUnpacked PE file: 1.2.CF.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0046A23C LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateThread,WaitForSingleObjectEx,0_2_0046A23C
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00440B68 push 00440BF5h; ret 0_2_00440BED
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00410198 push 004102B4h; ret 0_2_004102AC
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00410288 push 004102B4h; ret 0_2_004102AC
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0046A344 push 0046A36Ah; ret 0_2_0046A362
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0046A30C push 0046A338h; ret 0_2_0046A330
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0041C414 push ecx; mov dword ptr [esp], edx0_2_0041C419
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0040649E push 004064F1h; ret 0_2_004064E9
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_004064A0 push 004064F1h; ret 0_2_004064E9
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0042651C push 004265ECh; ret 0_2_004265E4
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_004365C8 push ecx; mov dword ptr [esp], ecx0_2_004365CC
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00406670 push 0040669Ch; ret 0_2_00406694
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_004266FC push 00426728h; ret 0_2_00426720
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0041A6A8 push ecx; mov dword ptr [esp], edx0_2_0041A6AA
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00456708 push 00456762h; ret 0_2_0045675A
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0040672C push 00406758h; ret 0_2_00406750
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00412960 push ecx; mov dword ptr [esp], eax0_2_00412961
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_004289FC push 00428A3Dh; ret 0_2_00428A35
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_004269B4 push 004269E0h; ret 0_2_004269D8
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00428A48 push 00428A74h; ret 0_2_00428A6C
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00428A80 push 00428AB8h; ret 0_2_00428AB0
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00458B6C push 00458B9Fh; ret 0_2_00458B97
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00440B00 push 00440B66h; ret 0_2_00440B5E
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00412BC4 push ecx; mov dword ptr [esp], edx0_2_00412BC9
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00416D4C push ecx; mov dword ptr [esp], edx0_2_00416D4E
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00412DEC push ecx; mov dword ptr [esp], edx0_2_00412DF1
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00428DA4 push 00428DD0h; ret 0_2_00428DC8
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00412F4C push ecx; mov dword ptr [esp], edx0_2_00412F51
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00412F08 push ecx; mov dword ptr [esp], edx0_2_00412F0D
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0042EFBC push 0042F015h; ret 0_2_0042F00D
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0042F044 push 0042F07Ch; ret 0_2_0042F074
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00411034 push 00411081h; ret 0_2_00411079
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00454644 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00454644
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00454D38 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00454D38
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00454DE8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00454DE8
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0043AE34 IsIconic,GetCapture,0_2_0043AE34
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00427410 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00427410
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0043B6DC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0043B6DC
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_00451738 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00451738
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0043BFC0 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043BFC0
            Source: C:\Users\user\Desktop\CF.exeCode function: 0_2_0044051C SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_0044051C
            Source: C:\Users\user\Desktop\CF.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CF.exeProcess information set: NOOPENFILEERRORBOX