Analysis Report Vkdr225E85

Overview

General Information

Sample Name:	Vkdr225E85 (renamed file extension from none to exe)
Analysis ID:	359443
MD5:	ff932f457521b993feffc92d662166e6
SHA1:	725cc0c5e1914d3ea02674fa7278ed8b7c4f8b19
SHA256:	ac8dde58d7ead58fa4b474c6627621489fdf362270147bb0e00c1a8678ba3888
Tags:	HawkEye
Infos:
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected HawkEye Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM_3

Yara detected HawkEye Keylogger

Yara detected MailPassView

.NET source code contains potential unpacker

.NET source code contains very large strings

.NET source code references suspicious native API functions

Changes the view of files in windows explorer (hidden files and folders)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: vbc.exe.7140.7.memstr

Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}

Multi AV Scanner detection for submitted file

Source: Vkdr225E85.exe	Metadefender: Detection: 24%			Perma Link
Source: Vkdr225E85.exe	ReversingLabs: Detection: 67%

Machine Learning detection for sample

Source: Vkdr225E85.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.Vkdr225E85.exe.43cc7f0.2.unpack	Avira: Label: TR/Inject.vcoldi
Source: 4.2.Vkdr225E85.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 4.2.Vkdr225E85.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473

Compliance:

Uses 32bit PE files

Source: Vkdr225E85.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Vkdr225E85.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe

Spreading:

May infect USB drives

Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: Vkdr225E85.exe, 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: Vkdr225E85.exe, 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp	Binary or memory string: [autorun]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	6_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	7_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	7_2_00407E0E

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_091BB598
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then call 054EA6E8h	4_2_073F9958
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_073F9958
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_073FA6B7
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_073F26D9
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then call 054EA6E8h	4_2_073FA308
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_073FA308
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then call 054EA6E8h	4_2_073FA3F2
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_073FA3F2
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_073F326B
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_073FB1A5
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_073FB0BB
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_073F2B99
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_073FA9DC
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_073F2835
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_0776039E
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_07760207

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.7:49731 -> 103.27.200.199:21

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49732 -> 103.27.200.199:35394

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.27.200.199 103.27.200.199

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH

Uses FTP

Source: unknown

FTP traffic detected: 103.27.200.199:21 -> 192.168.2.7:49731 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:01. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:01. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:01. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:01. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.282385616.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.282385616.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 00000007.00000002.282860124.0000000000B7E000.00000004.00000001.sdmp	String found in binary or memory: go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000007.00000002.282860124.0000000000B7E000.00000004.00000001.sdmp	String found in binary or memory: go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000007.00000003.282033298.0000000000B7B000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=
Source: vbc.exe, 00000007.00000003.282033298.0000000000B7B000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=

Source: unknown

DNS traffic detected: queries for: 200.82.6.0.in-addr.arpa

Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Vkdr225E85.exe, 00000004.00000002.509801613.0000000003563000.00000004.00000001.sdmp	String found in binary or memory: http://ftp.triplelink.co.th
Source: Vkdr225E85.exe	String found in binary or memory: http://inchat.kro.kr
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Vkdr225E85.exe, 00000001.00000002.257214387.0000000002F81000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Vkdr225E85.exe	String found in binary or memory: http://schooldb.inchat.kro.kr/
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Vkdr225E85.exe	String found in binary or memory: http://www.gagalive.kr/livechat1.swf?chatroom=inchat-
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, vbc.exe, 00000007.00000002.282385616.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Vkdr225E85.exe, 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 00000007.00000003.281794545.0000000000C5D000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
Source: vbc.exe, 00000007.00000002.282758861.0000000000858000.00000004.00000020.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=71620848v
Source: vbc.exe, 00000007.00000003.281794545.0000000000C5D000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
Source: vbc.exe, 00000007.00000003.281794545.0000000000C5D000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.
Source: vbc.exe, 00000007.00000003.282033298.0000000000B7B000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
Source: vbc.exe, 00000007.00000002.282758861.0000000000858000.00000004.00000020.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=57232382215=
Source: vbc.exe, 00000007.00000002.282758861.0000000000858000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 00000007.00000002.282758861.0000000000858000.00000004.00000020.sdmp	String found in binary or memory: https://login.live.com/login.srf?B
Source: vbc.exe, 00000007.00000002.282758861.0000000000858000.00000004.00000020.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: Vkdr225E85.exe, 00000001.00000002.257214387.0000000002F81000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 00000007.00000002.282758861.0000000000858000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/ILLMEMhZ
Source: vbc.exe, 00000007.00000002.282758861.0000000000858000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vkdr225E85.exe PID: 6504, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vkdr225E85.exe PID: 6712, type: MEMORY
Source: Yara match	File source: 1.2.Vkdr225E85.exe.43cc7f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Vkdr225E85.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Vkdr225E85.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Vkdr225E85.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Vkdr225E85.exe.4220570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Vkdr225E85.exe.43cc7f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Vkdr225E85.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Vkdr225E85.exe.402c830.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Vkdr225E85.exe.308b314.5.raw.unpack, type: UNPACKEDPE

Contains functionality to log keystrokes (.Net Source)

Source: 4.2.Vkdr225E85.exe.400000.0.unpack, Form1.cs

.Net Code: HookKeyboard

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

6_2_0040AC8A

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Vkdr225E85.exe.43cc7f0.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Vkdr225E85.exe.43cc7f0.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Vkdr225E85.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Vkdr225E85.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Vkdr225E85.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Vkdr225E85.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Vkdr225E85.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Vkdr225E85.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Vkdr225E85.exe.4220570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Vkdr225E85.exe.4220570.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Vkdr225E85.exe.43cc7f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Vkdr225E85.exe.43cc7f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Vkdr225E85.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Vkdr225E85.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Vkdr225E85.exe.402c830.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Vkdr225E85.exe.402c830.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Vkdr225E85.exe.308b314.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Source: Vkdr225E85.exe, frmLogin.cs	Long String: Length: 13656
Source: 1.2.Vkdr225E85.exe.b80000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: 1.0.Vkdr225E85.exe.b80000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: 4.2.Vkdr225E85.exe.b70000.4.unpack, frmLogin.cs	Long String: Length: 13656
Source: 4.0.Vkdr225E85.exe.b70000.0.unpack, frmLogin.cs	Long String: Length: 13656

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F8A74 NtWriteVirtualMemory,	4_2_073F8A74
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F8A98 NtUnmapViewOfSection,	4_2_073F8A98
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F8A8C NtSetContextThread,	4_2_073F8A8C
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073FF6F8 NtUnmapViewOfSection,	4_2_073FF6F8
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F8A38 NtSetContextThread,	4_2_073F8A38
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F8A2C NtSetContextThread,	4_2_073F8A2C
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F8A20 NtWriteVirtualMemory,	4_2_073F8A20
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F8A08 NtUnmapViewOfSection,	4_2_073F8A08
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F8A5C NtUnmapViewOfSection,	4_2_073F8A5C
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F8A44 NtUnmapViewOfSection,	4_2_073F8A44
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F8A80 NtSetContextThread,	4_2_073F8A80
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073FF910 NtSetContextThread,	4_2_073FF910
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073FF858 NtWriteVirtualMemory,	4_2_073FF858
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,	7_2_00408836

Detected potential crypto function

Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 1_2_00B8AB56	1_2_00B8AB56
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 1_2_0162C2B0	1_2_0162C2B0
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 1_2_01629990	1_2_01629990
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 1_2_091B99B0	1_2_091B99B0
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 1_2_091B5FB0	1_2_091B5FB0
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 1_2_00B8ABB1	1_2_00B8ABB1
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 1_2_00B8ABA0	1_2_00B8ABA0
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 1_2_00B8ABF5	1_2_00B8ABF5
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 1_2_00B8ABE4	1_2_00B8ABE4
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 1_2_00B8ABD3	1_2_00B8ABD3
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_00B76F8C	4_2_00B76F8C
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_00B7AB56	4_2_00B7AB56
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_0177B29C	4_2_0177B29C
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_0177C310	4_2_0177C310
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_0177C568	4_2_0177C568
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_0177B290	4_2_0177B290
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_017799D0	4_2_017799D0
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_0177DFD0	4_2_0177DFD0
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073FB620	4_2_073FB620
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F2360	4_2_073F2360
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F1F30	4_2_073F1F30
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F1EA8	4_2_073F1EA8
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073FED30	4_2_073FED30
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F6B20	4_2_073F6B20
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F9BB8	4_2_073F9BB8
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F2BA8	4_2_073F2BA8
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F3BE8	4_2_073F3BE8
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F9958	4_2_073F9958
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F3BD7	4_2_073F3BD7
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_00B7ABB1	4_2_00B7ABB1
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_00B7ABA0	4_2_00B7ABA0
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_00B7ABF5	4_2_00B7ABF5
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_00B7ABE4	4_2_00B7ABE4
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_00B7ABD3	4_2_00B7ABD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404DDB	6_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040BD8A	6_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404E4C	6_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404EBD	6_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404F4E	6_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00404419	7_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00404516	7_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00413538	7_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_004145A1	7_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_0040E639	7_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_004337AF	7_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_004399B1	7_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_0043DAE7	7_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00405CF6	7_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00403F85	7_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00411F99	7_2_00411F99

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times

Sample file is different than original file name gathered from version info

Source: Vkdr225E85.exe	Binary or memory string: OriginalFilename vs Vkdr225E85.exe
Source: Vkdr225E85.exe, 00000001.00000002.255460083.0000000000B82000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCONSOLESCREENBUFFERINFO.exe. vs Vkdr225E85.exe
Source: Vkdr225E85.exe, 00000001.00000002.270888811.0000000008D50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Vkdr225E85.exe
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Vkdr225E85.exe
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Vkdr225E85.exe
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Vkdr225E85.exe
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs Vkdr225E85.exe
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs Vkdr225E85.exe
Source: Vkdr225E85.exe, 00000001.00000002.257214387.0000000002F81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs Vkdr225E85.exe
Source: Vkdr225E85.exe	Binary or memory string: OriginalFilename vs Vkdr225E85.exe
Source: Vkdr225E85.exe, 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Vkdr225E85.exe
Source: Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs Vkdr225E85.exe
Source: Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Vkdr225E85.exe
Source: Vkdr225E85.exe, 00000004.00000002.502829313.0000000000482000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs Vkdr225E85.exe
Source: Vkdr225E85.exe, 00000004.00000000.254268218.0000000000B72000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCONSOLESCREENBUFFERINFO.exe. vs Vkdr225E85.exe
Source: Vkdr225E85.exe	Binary or memory string: OriginalFilenameCONSOLESCREENBUFFERINFO.exe. vs Vkdr225E85.exe

Uses 32bit PE files

Source: Vkdr225E85.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000004.00000002.513535332.0000000007600000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.513457560.00000000075A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Vkdr225E85.exe.7600000.12.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Vkdr225E85.exe.43cc7f0.2.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Vkdr225E85.exe.43cc7f0.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Vkdr225E85.exe.43cc7f0.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Vkdr225E85.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.Vkdr225E85.exe.45fa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Vkdr225E85.exe.75a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Vkdr225E85.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Vkdr225E85.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.Vkdr225E85.exe.408208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Vkdr225E85.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.Vkdr225E85.exe.409c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Vkdr225E85.exe.4220570.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Vkdr225E85.exe.4220570.4.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Vkdr225E85.exe.4220570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Vkdr225E85.exe.43cc7f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Vkdr225E85.exe.43cc7f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Vkdr225E85.exe.43cc7f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Vkdr225E85.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Vkdr225E85.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.Vkdr225E85.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Vkdr225E85.exe.402c830.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Vkdr225E85.exe.402c830.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Vkdr225E85.exe.402c830.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Vkdr225E85.exe.30a2f34.6.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Vkdr225E85.exe.308b314.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Vkdr225E85.exe.308b314.5.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: Vkdr225E85.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4.2.Vkdr225E85.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 4.2.Vkdr225E85.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 4.2.Vkdr225E85.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 4.2.Vkdr225E85.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: Vkdr225E85.exe, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 1.2.Vkdr225E85.exe.b80000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 1.0.Vkdr225E85.exe.b80000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.2.Vkdr225E85.exe.b70000.4.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.0.Vkdr225E85.exe.b70000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.2.Vkdr225E85.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'xZv2KTjDOGwMPewlL06/2/+cBh+3YNzZLNYqWwxyouAodILYLJV9xZ9CGhDaO0jH', 'G9O9EXxYbTKbu/JIqZ4FXWAEsGCT7RJ+/SHmPiE44HoRMOAUDNTRY4dL0xxXj+PX', 'yFzOCZnSHgqZgbtRiX7zTTL1Qt6D+8cCFAWN8MP9eKKls7OaJo1TF2n4j++JkQX9', 'O6ZQ7J5ocLxf6RhQQpNSk/JzuZPUi9E0JuztOnaE/Qd705fOtAkyZW1GYthg8J6YkNuszS5M9pYlCk2wrogMRg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@7/4@2/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

7_2_00415AFD

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

7_2_00415F87

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,

7_2_00411196

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,

6_2_0040ED0B

Source: C:\Users\user\Desktop\Vkdr225E85.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Vkdr225E85.exe.log

Source: C:\Users\user\Desktop\Vkdr225E85.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Vkdr225E85.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.282385616.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Vkdr225E85.exe, 00000001.00000002.257214387.0000000002F81000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Vkdr225E85.exe, 00000001.00000002.257214387.0000000002F81000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: unknown	Process created: C:\Users\user\Desktop\Vkdr225E85.exe 'C:\Users\user\Desktop\Vkdr225E85.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Vkdr225E85.exe C:\Users\user\Desktop\Vkdr225E85.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process created: C:\Users\user\Desktop\Vkdr225E85.exe C:\Users\user\Desktop\Vkdr225E85.exe	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior

Source: 4.2.Vkdr225E85.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Vkdr225E85.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Vkdr225E85.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Vkdr225E85.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F0680 pushfd ; retf	4_2_073F0689
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F5038 pushfd ; retf	4_2_073F5045
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Code function: 4_2_073F4B7F pushad ; retf	4_2_073F4B81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00411879 push ecx; ret	6_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004118A0 push eax; ret	6_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004118A0 push eax; ret	6_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00442871 push ecx; ret	7_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00442A90 push eax; ret	7_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00442A90 push eax; ret	7_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00446E54 push eax; ret	7_2_00446E61

Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000001.00000002.257214387.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vkdr225E85.exe PID: 6504, type: MEMORY
Source: Yara match	File source: 1.2.Vkdr225E85.exe.2fb1f74.1.raw.unpack, type: UNPACKEDPE

Source: Vkdr225E85.exe, 00000001.00000002.257214387.0000000002F81000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Vkdr225E85.exe, 00000001.00000002.257214387.0000000002F81000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Vkdr225E85.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: C:\Users\user\Desktop\Vkdr225E85.exe TID: 6508	Thread sleep time: -101757s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe TID: 6532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe TID: 6840	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe TID: 7028	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe TID: 7036	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe TID: 7048	Thread sleep time: -94200s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe TID: 360	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: Vkdr225E85.exe, 00000001.00000002.257214387.0000000002F81000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Vkdr225E85.exe, 00000001.00000002.257214387.0000000002F81000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Vkdr225E85.exe, 00000001.00000002.257214387.0000000002F81000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Vkdr225E85.exe, 00000001.00000002.257214387.0000000002F81000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: 4.2.Vkdr225E85.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 4.2.Vkdr225E85.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')

Source: C:\Users\user\Desktop\Vkdr225E85.exe	Memory written: C:\Users\user\Desktop\Vkdr225E85.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\Vkdr225E85.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior
Source: C:\Users\user\Desktop\Vkdr225E85.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior

Source: Vkdr225E85.exe, 00000004.00000002.505796707.00000000019C0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: Vkdr225E85.exe, 00000004.00000002.505796707.00000000019C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Vkdr225E85.exe, 00000004.00000002.505796707.00000000019C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Vkdr225E85.exe, 00000004.00000002.505796707.00000000019C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Vkdr225E85.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\Vkdr225E85.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Source: Yara match	File source: 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.276981513.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7132, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vkdr225E85.exe PID: 6504, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vkdr225E85.exe PID: 6712, type: MEMORY
Source: Yara match	File source: 4.2.Vkdr225E85.exe.4069930.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Vkdr225E85.exe.45fa72.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Vkdr225E85.exe.43cc7f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Vkdr225E85.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Vkdr225E85.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Vkdr225E85.exe.4069930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Vkdr225E85.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Vkdr225E85.exe.4220570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Vkdr225E85.exe.43cc7f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Vkdr225E85.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Vkdr225E85.exe.402c830.3.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt			Jump to behavior

Analysis Report Vkdr225E85

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	6_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	6_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	6_2_004033D7

Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Vkdr225E85.exe, 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: Vkdr225E85.exe, 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmp	String found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
Source: Vkdr225E85.exe, 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmp	String found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_
Source: Vkdr225E85.exe, 00000004.00000002.509838263.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: lBHawkEye_Keylogger_Stealer_Records_414408 2.28.2021 10:13:45 AM.txtP
Source: Vkdr225E85.exe, 00000004.00000002.509838263.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: lISTOR HawkEye_Keylogger_Stealer_Records_414408 2.28.2021 10:13:45 AM.txt
Source: Vkdr225E85.exe, 00000004.00000002.509838263.000000000356F000.00000004.00000001.sdmp	String found in binary or memory: STOR HawkEye_Keylogger_Stealer_Records_414408 2.28.2021 10:13:45 AM.txt
Source: Vkdr225E85.exe, 00000004.00000003.319554425.00000000078B8000.00000004.00000001.sdmp	String found in binary or memory: ftp.triplelink.co.thDD/HawkEye_Keylogger_Stealer_Records_414408 2.28.2021 10:13:45 AM.txt
Source: Vkdr225E85.exe, 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Vkdr225E85.exe, 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: Vkdr225E85.exe, 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: Vkdr225E85.exe, 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Vkdr225E85.exe, 00000004.00000002.509801613.0000000003563000.00000004.00000001.sdmp	String found in binary or memory: lBHawkEye_Keylogger_Stealer_Records_414408 2.28.2021 10:13:45 AM.txt
Source: Vkdr225E85.exe, 00000004.00000002.509801613.0000000003563000.00000004.00000001.sdmp	String found in binary or memory: l]ftp://ftp.triplelink.co.th/HawkEye_Keylogger_Stealer_Records_414408 2.28.2021 10:13:45 AM.txt
Source: Vkdr225E85.exe, 00000004.00000002.509801613.0000000003563000.00000004.00000001.sdmp	String found in binary or memory: ftp://ftp.triplelink.co.th/HawkEye_Keylogger_Stealer_Records_414408%202.28.2021%2010:13:45%20AM.txt
Source: Vkdr225E85.exe, 00000004.00000002.509801613.0000000003563000.00000004.00000001.sdmp	String found in binary or memory: lcftp://ftp.triplelink.co.th/HawkEye_Keylogger_Stealer_Records_414408%202.28.2021%2010:13:45%20AM.txt

Name	IP	Active
ftp.triplelink.co.th	103.27.200.199	true
200.82.6.0.in-addr.arpa	unknown	unknown

ID:	359443
Product:	CloudBasic
Start time:	10:04:21
Start date:	28.02.2021
Sample:	Vkdr225E85
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ff932f457521b993feffc92d662166e6
SHA1:	725cc0c5e1914d3ea02674fa7278ed8b7c4f8b19
SHA256:	ac8dde58d7ead58fa4b474c6627621489fdf362270147bb0e00c1a8678ba3888
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Vkdr225E85.exe.log	ASCII text, with CRLF line terminators	1DC1A2DCC9EFAA84EABF4F6D6066565B	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\holderwb.txt	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\pid.txt	ASCII text, with no line terminators	5726DAF2C9EE0F955ECA58291C26D2F3	C771A01B2F51BF310EAA80F1FF786832EE89C293	815573775E968B26DBC289D9CEE3FAA6FFD200DD7AC7DB90A023E5134B55E1EE
C:\Users\user\AppData\Roaming\pidloc.txt	ASCII text, with no line terminators	71C16A7891B44C92F849944E727A6210	05876E25501B87BEC07BB22CE58971F0A5F6BFBC	2D264DA1BBA7BF4A973AE8BA6AF8F9DC33CB4ACE8895A89560223A259C4DD090