Loading ...

Play interactive tourEdit tour

Analysis Report Vkdr225E85

Overview

General Information

Sample Name:Vkdr225E85 (renamed file extension from none to exe)
Analysis ID:359443
MD5:ff932f457521b993feffc92d662166e6
SHA1:725cc0c5e1914d3ea02674fa7278ed8b7c4f8b19
SHA256:ac8dde58d7ead58fa4b474c6627621489fdf362270147bb0e00c1a8678ba3888
Tags:HawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Vkdr225E85.exe (PID: 6504 cmdline: 'C:\Users\user\Desktop\Vkdr225E85.exe' MD5: FF932F457521B993FEFFC92D662166E6)
    • Vkdr225E85.exe (PID: 6712 cmdline: C:\Users\user\Desktop\Vkdr225E85.exe MD5: FF932F457521B993FEFFC92D662166E6)
      • vbc.exe (PID: 7132 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7140 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000004.00000002.513535332.0000000007600000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      00000004.00000002.513457560.00000000075A0000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      00000006.00000002.276981513.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        Click to see the 23 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.Vkdr225E85.exe.4069930.8.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          7.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            4.2.Vkdr225E85.exe.45fa72.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              4.2.Vkdr225E85.exe.7600000.12.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
              • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
              1.2.Vkdr225E85.exe.43cc7f0.2.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
              • 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
              Click to see the 58 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: vbc.exe.7140.7.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
              Multi AV Scanner detection for submitted fileShow sources
              Source: Vkdr225E85.exeMetadefender: Detection: 24%Perma Link
              Source: Vkdr225E85.exeReversingLabs: Detection: 67%
              Machine Learning detection for sampleShow sources
              Source: Vkdr225E85.exeJoe Sandbox ML: detected
              Source: 1.2.Vkdr225E85.exe.43cc7f0.2.unpackAvira: Label: TR/Inject.vcoldi
              Source: 4.2.Vkdr225E85.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 4.2.Vkdr225E85.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: Vkdr225E85.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: Vkdr225E85.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Binary contains paths to debug symbolsShow sources
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe
              Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: Vkdr225E85.exe, 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: Vkdr225E85.exe, 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00406EC3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,7_2_00408441
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,7_2_00407E0E
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_091BB598
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then call 054EA6E8h4_2_073F9958
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_073F9958
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_073FA6B7
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_073F26D9
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then call 054EA6E8h4_2_073FA308
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_073FA308
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then call 054EA6E8h4_2_073FA3F2
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_073FA3F2
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_073F326B
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_073FB1A5
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_073FB0BB
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_073F2B99
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_073FA9DC
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_073F2835
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_0776039E
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_07760207

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.7:49731 -> 103.27.200.199:21
              Source: global trafficTCP traffic: 192.168.2.7:49732 -> 103.27.200.199:35394
              Source: Joe Sandbox ViewIP Address: 103.27.200.199 103.27.200.199
              Source: Joe Sandbox ViewASN Name: BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH
              Source: unknownFTP traffic detected: 103.27.200.199:21 -> 192.168.2.7:49731 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:01. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:01. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:01. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:01. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
              Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.282385616.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.282385616.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exe, 00000007.00000002.282860124.0000000000B7E000.00000004.00000001.sdmpString found in binary or memory: go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000007.00000002.282860124.0000000000B7E000.00000004.00000001.sdmpString found in binary or memory: go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000007.00000003.282033298.0000000000B7B000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=
              Source: vbc.exe, 00000007.00000003.282033298.0000000000B7B000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=
              Source: unknownDNS traffic detected: queries for: 200.82.6.0.in-addr.arpa
              Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: Vkdr225E85.exe, 00000004.00000002.509801613.0000000003563000.00000004.00000001.sdmpString found in binary or memory: http://ftp.triplelink.co.th
              Source: Vkdr225E85.exeString found in binary or memory: http://inchat.kro.kr
              Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.509945562.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: Vkdr225E85.exe, 00000001.00000002.257214387.0000000002F81000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Vkdr225E85.exeString found in binary or memory: http://schooldb.inchat.kro.kr/
              Source: Vkdr225E85.exe, 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: Vkdr225E85.exeString found in binary or memory: http://www.gagalive.kr/livechat1.swf?chatroom=inchat-
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: vbc.exe, vbc.exe, 00000007.00000002.282385616.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: Vkdr225E85.exe, 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: Vkdr225E85.exe, 00000001.00000002.263249661.0000000006020000.00000002.00000001.sdmp, Vkdr225E85.exe, 00000004.00000002.511522126.00000000061B0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: vbc.exe, 00000007.00000003.281794545.0000000000C5D000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
              Source: vbc.exe, 00000007.00000002.282758861.0000000000858000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=71620848v
              Source: vbc.exe, 00000007.00000003.281794545.0000000000C5D000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
              Source: vbc.exe, 00000007.00000003.281794545.0000000000C5D000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.
              Source: vbc.exe, 00000007.00000003.282033298.0000000000B7B000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
              Source: vbc.exe, 00000007.00000002.282758861.0000000000858000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=57232382215=
              Source: vbc.exe, 00000007.00000002.282758861.0000000000858000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: vbc.exe, 00000007.00000002.282758861.0000000000858000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?B
              Source: vbc.exe, 00000007.00000002.282758861.0000000000858000.00000004.00000020.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: Vkdr225E85.exe, 00000001.00000002.257214387.0000000002F81000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: vbc.exe, 00000007.00000002.282758861.0000000000858000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/ILLMEMhZ
              Source: vbc.exe, 00000007.00000002.282758861.0000000000858000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Vkdr225E85.exe PID: 6504, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Vkdr225E85.exe PID: 6712, type: MEMORY
              Source: Yara matchFile source: 1.2.Vkdr225E85.exe.43cc7f0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Vkdr225E85.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Vkdr225E85.exe.408208.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Vkdr225E85.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.Vkdr225E85.exe.4220570.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.Vkdr225E85.exe.43cc7f0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Vkdr225E85.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.Vkdr225E85.exe.402c830.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Vkdr225E85.exe.308b314.5.raw.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 4.2.Vkdr225E85.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,6_2_0040AC8A

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000004.00000002.502038195.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000001.00000002.258840939.0000000003F89000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.506439148.0000000003061000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 1.2.Vkdr225E85.exe.43cc7f0.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 1.2.Vkdr225E85.exe.43cc7f0.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.Vkdr225E85.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.Vkdr225E85.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.Vkdr225E85.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.Vkdr225E85.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.Vkdr225E85.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.Vkdr225E85.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 1.2.Vkdr225E85.exe.4220570.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 1.2.Vkdr225E85.exe.4220570.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 1.2.Vkdr225E85.exe.43cc7f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 1.2.Vkdr225E85.exe.43cc7f0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.Vkdr225E85.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.Vkdr225E85.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 1.2.Vkdr225E85.exe.402c830.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 1.2.Vkdr225E85.exe.402c830.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.Vkdr225E85.exe.308b314.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              .NET source code contains very large stringsShow sources
              Source: Vkdr225E85.exe, frmLogin.csLong String: Length: 13656
              Source: 1.2.Vkdr225E85.exe.b80000.0.unpack, frmLogin.csLong String: Length: 13656
              Source: 1.0.Vkdr225E85.exe.b80000.0.unpack, frmLogin.csLong String: Length: 13656
              Source: 4.2.Vkdr225E85.exe.b70000.4.unpack, frmLogin.csLong String: Length: 13656
              Source: 4.0.Vkdr225E85.exe.b70000.0.unpack, frmLogin.csLong String: Length: 13656
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F8A74 NtWriteVirtualMemory,4_2_073F8A74
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F8A98 NtUnmapViewOfSection,4_2_073F8A98
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F8A8C NtSetContextThread,4_2_073F8A8C
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073FF6F8 NtUnmapViewOfSection,4_2_073FF6F8
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F8A38 NtSetContextThread,4_2_073F8A38
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F8A2C NtSetContextThread,4_2_073F8A2C
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F8A20 NtWriteVirtualMemory,4_2_073F8A20
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F8A08 NtUnmapViewOfSection,4_2_073F8A08
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F8A5C NtUnmapViewOfSection,4_2_073F8A5C
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F8A44 NtUnmapViewOfSection,4_2_073F8A44
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F8A80 NtSetContextThread,4_2_073F8A80
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073FF910 NtSetContextThread,4_2_073FF910
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073FF858 NtWriteVirtualMemory,4_2_073FF858
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,7_2_00408836
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 1_2_00B8AB561_2_00B8AB56
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 1_2_0162C2B01_2_0162C2B0
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 1_2_016299901_2_01629990
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 1_2_091B99B01_2_091B99B0
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 1_2_091B5FB01_2_091B5FB0
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 1_2_00B8ABB11_2_00B8ABB1
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 1_2_00B8ABA01_2_00B8ABA0
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 1_2_00B8ABF51_2_00B8ABF5
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 1_2_00B8ABE41_2_00B8ABE4
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 1_2_00B8ABD31_2_00B8ABD3
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_00B76F8C4_2_00B76F8C
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_00B7AB564_2_00B7AB56
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_0177B29C4_2_0177B29C
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_0177C3104_2_0177C310
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_0177C5684_2_0177C568
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_0177B2904_2_0177B290
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_017799D04_2_017799D0
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_0177DFD04_2_0177DFD0
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073FB6204_2_073FB620
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F23604_2_073F2360
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F1F304_2_073F1F30
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F1EA84_2_073F1EA8
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073FED304_2_073FED30
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F6B204_2_073F6B20
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F9BB84_2_073F9BB8
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F2BA84_2_073F2BA8
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F3BE84_2_073F3BE8
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F99584_2_073F9958
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_073F3BD74_2_073F3BD7
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_00B7ABB14_2_00B7ABB1
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_00B7ABA04_2_00B7ABA0
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_00B7ABF54_2_00B7ABF5
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_00B7ABE44_2_00B7ABE4
              Source: C:\Users\user\Desktop\Vkdr225E85.exeCode function: 4_2_00B7ABD34_2_00B7ABD3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404DDB6_2_00404DDB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040BD8A6_2_0040BD8A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404E4C6_2_00404E4C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404EBD6_2_00404EBD
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404F4E6_2_00404F4E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004044197_2_00404419
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004045167_2_00404516
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004135387_2_00413538
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004145A17_2_004145A1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040E6397_2_0040E639
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004337AF7_2_004337AF
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004399B17_2_004399B1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0043DAE77_2_0043DAE7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00405CF67_2_00405CF6
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00403F857_2_00403F85
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411F997_2_00411F99
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times