Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report QNSpfBSrsR.exe

Overview

General Information

Sample Name:QNSpfBSrsR.exe
Analysis ID:330378
MD5:7da4f5e17791a774131c3c97538a2495
SHA1:552b4a357b259935a35b06d040d7f2e3205c8e42
SHA256:ac8ef770d70da42ea56d5b15fb5db0be89ae9250ac78b2bfd493843a50399a19
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye M00nD3v Logger MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected M00nD3v Logger
Yara detected MailPassView
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • QNSpfBSrsR.exe (PID: 6696 cmdline: 'C:\Users\user\Desktop\QNSpfBSrsR.exe' MD5: 7DA4F5E17791A774131C3C97538A2495)
    • QNSpfBSrsR.exe (PID: 7128 cmdline: C:\Users\user\Desktop\QNSpfBSrsR.exe MD5: 7DA4F5E17791A774131C3C97538A2495)
    • QNSpfBSrsR.exe (PID: 6384 cmdline: C:\Users\user\Desktop\QNSpfBSrsR.exe MD5: 7DA4F5E17791A774131C3C97538A2495)
    • QNSpfBSrsR.exe (PID: 2800 cmdline: C:\Users\user\Desktop\QNSpfBSrsR.exe MD5: 7DA4F5E17791A774131C3C97538A2495)
      • vbc.exe (PID: 4204 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C49.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5732 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C48.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7132 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp989B.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7012 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9CC3.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 4088 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8FAF.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 1072 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9398.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
  • 0x147b0:$a1: logins.json
  • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
  • 0x14f34:$s4: \mozsqlite3.dll
  • 0x137a4:$s5: SMTP Password
0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000008.00000002.1020981161.000000000358C000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x147b0:$a1: logins.json
      • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x14f34:$s4: \mozsqlite3.dll
      • 0x137a4:$s5: SMTP Password
      00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        Click to see the 32 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.2.vbc.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
        • 0x131b0:$a1: logins.json
        • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
        • 0x13934:$s4: \mozsqlite3.dll
        • 0x121a4:$s5: SMTP Password
        11.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          10.2.vbc.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x147b0:$a1: logins.json
          • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x14f34:$s4: \mozsqlite3.dll
          • 0x137a4:$s5: SMTP Password
          10.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            8.2.QNSpfBSrsR.exe.3090000.2.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
            • 0x134d2:$a1: logins.json
            • 0x13432:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
            • 0x13c56:$s4: \mozsqlite3.dll
            • 0x124c6:$s5: SMTP Password
            Click to see the 26 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: vbc.exe.4204.10.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv"], "Version": ""}
            Multi AV Scanner detection for submitted fileShow sources
            Source: QNSpfBSrsR.exeVirustotal: Detection: 28%Perma Link
            Source: 8.2.QNSpfBSrsR.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
            Source: QNSpfBSrsR.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: QNSpfBSrsR.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpString found in binary or memory: http://dyn.com/dns/
            Source: QNSpfBSrsR.exeString found in binary or memory: http://ocsp.sectigo.com0
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
            Source: QNSpfBSrsR.exe, 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
            Source: vbc.exe, 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/
            Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/done8
            Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/set
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
            Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591yu1SPS
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1)
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpString found in binary or memory: https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpString found in binary or memory: https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll;HawkEye
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callout
            Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
            Source: QNSpfBSrsR.exeString found in binary or memory: https://sectigo.com/CPS0D
            Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
            Source: QNSpfBSrsR.exe, 00000008.00000002.1022069399.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com&gl=GB&pc=s&uxe=4421591
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/?gws_rd=ssl
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/favicon.ico
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/(x
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/7a5c56LMEMx
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/7a5c56LMEMx8
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/SFQ
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/er9
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/search
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/url
            Source: QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1016568541.0000000001542000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
            Source: Yara matchFile source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040ADA4 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0000000F.00000002.876231898.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 0000000A.00000002.739382606.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000010.00000002.878633274.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000008.00000002.1017257384.0000000003090000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000013.00000002.1011864489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.2.QNSpfBSrsR.exe.3090000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.2.QNSpfBSrsR.exe.3090000.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06163CA8 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06163CA0 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01721108
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017289F8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017219B1
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01722358
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01729B39
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017282F0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017232B0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172E580
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017204E8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172CF61
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172A628
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01726603
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01725908
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017289E7
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017269D8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172D9D8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017269C8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017231B5
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01727048
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01727038
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017250F3
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017258F9
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017210E8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01725B09
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017213E0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01726B93
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01724248
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01724238
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01724200
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017282E1
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01721DF8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01724DE0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01724DD0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172E5C0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01721DA0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172A58D
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017254A0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01725490
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01727708
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172DFF1
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_01726639
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172A60C
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017276F8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017256C0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017256B0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C3E510
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C3BAE0
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C3D600
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C31910
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C31920
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C36C80
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C37C20
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C3B038
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C35F10
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C35F20
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C36248
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C36258
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06160A48
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06161B18
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06161F08
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06163195
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_061603A5
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06160FD7
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_06160FD8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_061613F8
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_061613E9
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00404DE5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00404E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00404EC7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00404F58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040BF6B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
            Source: QNSpfBSrsR.exeStatic PE information: invalid certificate
            Source: QNSpfBSrsR.exe, 00000008.00000002.1022383238.0000000006170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs QNSpfBSrsR.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1016019663.00000000012F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs QNSpfBSrsR.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameccdf cff.exe2 vs QNSpfBSrsR.exe
            Source: 0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0000000F.00000002.876231898.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 0000000A.00000002.739382606.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000010.00000002.878633274.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000008.00000002.1017257384.0000000003090000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000013.00000002.1011864489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.2.QNSpfBSrsR.exe.3090000.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.2.QNSpfBSrsR.exe.3090000.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@19/2@0/0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040F37C FindResourceA,SizeofResource,LoadResource,LockResource,
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QNSpfBSrsR.exe.logJump to behavior
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMutant created: \Sessions\1\BaseNamedObjects\ae5d6307-0d62-4e92-938b-debeac1db00e
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeFile created: C:\Users\user\AppData\Local\Temp\2c99a7ed-ddac-ab7c-0bfe-56058ec17ef8Jump to behavior
            Source: QNSpfBSrsR.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: QNSpfBSrsR.exeVirustotal: Detection: 28%
            Source: unknownProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe 'C:\Users\user\Desktop\QNSpfBSrsR.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
            Source: unknownProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
            Source: unknownProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C49.tmp'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C48.tmp'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp989B.tmp'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9CC3.tmp'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8FAF.tmp'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9398.tmp'
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C49.tmp'
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C48.tmp'
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp989B.tmp'
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9CC3.tmp'
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8FAF.tmp'
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9398.tmp'
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: QNSpfBSrsR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: QNSpfBSrsR.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: QNSpfBSrsR.exeStatic file information: File size 7447752 > 1048576
            Source: QNSpfBSrsR.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x718800
            Source: QNSpfBSrsR.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: QNSpfBSrsR.exe, 00000008.00000002.1020981161.000000000358C000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000F.00000002.876231898.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000010.00000002.878633274.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000013.00000002.1011864489.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00403C17 LoadLibraryA,GetProcAddress,strcpy,
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_017261E8 push esp; iretd
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_0172F353 push FFD2B0BAh; retf
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C35929 push esi; ret
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C36B34 push 6A3205C3h; ret
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C35EC3 push ecx; ret
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C36ADB push 633105C3h; ret
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_05C35E5B push edi; ret
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_061633FD push es; retf
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeCode function: 8_2_061633EC push es; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00412341 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00412360 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00412360 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040FCBC memset,strcpy,memset,strcpy,strcat,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeThread delayed: delay time: 600000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 6656Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 5748Thread sleep count: 177 > 30
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 5748Thread sleep time: -177000s >= -30000s
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 1852Thread sleep time: -1200000s >= -30000s
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 1852Thread sleep count: 276 > 30
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exe TID: 1852Thread sleep time: -276000s >= -30000s
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00403C17 LoadLibraryA,GetProcAddress,strcpy,
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Allocates memory in foreign processesShow sources
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 25D008
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 20F008
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3A6008
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 22D008
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 20E008
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 20F008
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Users\user\Desktop\QNSpfBSrsR.exe C:\Users\user\Desktop\QNSpfBSrsR.exe
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C49.tmp'
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C48.tmp'
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp989B.tmp'
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9CC3.tmp'
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8FAF.tmp'
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9398.tmp'
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017113609.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017113609.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017113609.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017113609.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Users\user\Desktop\QNSpfBSrsR.exe VolumeInformation
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Users\user\Desktop\QNSpfBSrsR.exe VolumeInformation
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00406282 GetVersionExA,
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avguard.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avp.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avgui.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: mbam.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
            Source: QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
            Source: Yara matchFile source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPE
            Yara detected M00nD3v LoggerShow sources
            Source: Yara matchFile source: 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1020981161.000000000358C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.727612080.0000000004A15000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.876231898.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.739382606.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1017907114.0000000003343000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.878633274.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1017257384.0000000003090000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1019556248.000000000347F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1021020173.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.1011864489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1019524329.0000000003462000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1021102525.0000000004211000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4204, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7132, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1072, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7012, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4088, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5732, type: MEMORY
            Source: Yara matchFile source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.QNSpfBSrsR.exe.3090000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.QNSpfBSrsR.exe.3090000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Users\user\Desktop\QNSpfBSrsR.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword

            Remote Access Functionality:

            barindex
            Detected HawkEye RatShow sources
            Source: QNSpfBSrsR.exe, 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_LoopPasswordStealer_KeyStrokeLogger_EmptyKeyStroke_ClipboardLogger_EmptyClipboard_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY
            Source: Yara matchFile source: 8.2.QNSpfBSrsR.exe.400000.0.unpack, type: UNPACKEDPE
            Yara detected M00nD3v LoggerShow sources
            Source: Yara matchFile source: 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: QNSpfBSrsR.exe PID: 2800, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation111Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection412Deobfuscate/Decode Files or Information1Credentials in Registry2File and Directory Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Credentials In Files1System Information Discovery15SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSSecurity Software Discovery22Distributed Component Object ModelClipboard Data1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion13Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection412DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            QNSpfBSrsR.exe29%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            6.0.QNSpfBSrsR.exe.30000.0.unpack100%AviraHEUR/AGEN.1100765Download File
            4.2.QNSpfBSrsR.exe.310000.0.unpack100%AviraHEUR/AGEN.1100765Download File
            4.0.QNSpfBSrsR.exe.310000.0.unpack100%AviraHEUR/AGEN.1100765Download File
            8.0.QNSpfBSrsR.exe.7f0000.0.unpack100%AviraHEUR/AGEN.1100765Download File
            8.2.QNSpfBSrsR.exe.7f0000.1.unpack100%AviraHEUR/AGEN.1100765Download File
            8.2.QNSpfBSrsR.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
            6.2.QNSpfBSrsR.exe.30000.0.unpack100%AviraHEUR/AGEN.1100765Download File
            0.0.QNSpfBSrsR.exe.820000.0.unpack100%AviraHEUR/AGEN.1100765Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://pomf.cat/upload.php&https://a.pomf.cat/0%Avira URL Cloudsafe
            http://pomf.cat/upload.php0%Avira URL Cloudsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll0%Avira URL Cloudsafe
            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
            https://a.pomf.cat/0%Avira URL Cloudsafe
            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
            https://sectigo.com/CPS0D0%URL Reputationsafe
            https://sectigo.com/CPS0D0%URL Reputationsafe
            https://sectigo.com/CPS0D0%URL Reputationsafe
            https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll;HawkEye0%Avira URL Cloudsafe
            http://pomf.cat/upload.phpCContent-Disposition:0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpfalse
              		high
              http://pomf.cat/upload.php&https://a.pomf.cat/QNSpfBSrsR.exe, 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://dyn.com/dns/QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpfalse
                		high
                http://pomf.cat/upload.phpQNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://ocsp.sectigo.com0QNSpfBSrsR.exefalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1)QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpfalse
                  		high
                  https://contextual.media.net/medianet.phpQNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpfalse
                    		high
                    https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dllQNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpfalse
                      		high
                      https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEMQNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpfalse
                        		high
                        http://bot.whatismyipaddress.com/QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpfalse
                          		high
                          http://www.msn.com/QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpfalse
                            		high
                            https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gQNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpfalse
                              		high
                              http://www.msn.com/de-ch/?ocid=iehpQNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpfalse
                                		high
                                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tQNSpfBSrsR.exefalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://a.pomf.cat/QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEMQNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmpfalse
                                  		high
                                  https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpfalse
                                    		high
                                    http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#QNSpfBSrsR.exefalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.msn.com/de-ch/QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.msn.com/?ocid=iehpQNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpfalse
                                        		high
                                        https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1QNSpfBSrsR.exe, 00000008.00000003.736849493.0000000001556000.00000004.00000001.sdmp, QNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpfalse
                                          		high
                                          https://sectigo.com/CPS0DQNSpfBSrsR.exefalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://contextual.media.net/checksync.phpQNSpfBSrsR.exe, 00000008.00000002.1017856327.00000000032F7000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.nirsoft.net/vbc.exe, 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmpfalse
                                              		high
                                              https://m00nd3v.com/M00nD3v/HawkEyeDecrypt/BouncyCastle.Crypto.dll;HawkEyeQNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://pomf.cat/upload.phpCContent-Disposition:QNSpfBSrsR.exe, 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              Contacted IPs

                                              No contacted IP infos

                                              General Information

                                              Joe Sandbox Version:31.0.0 Red Diamond
                                              Analysis ID:330378
                                              Start date:14.12.2020
                                              Start time:20:44:48
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 10m 26s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:QNSpfBSrsR.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:21
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.phis.troj.spyw.evad.winEXE@19/2@0/0
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 97.4% (good quality ratio 94.5%)
                                              • Quality average: 85.6%
                                              • Quality standard deviation: 23.2%
                                              HCA Information:
                                              • Successful, ratio: 91%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              20:46:14API Interceptor4x Sleep call for process: QNSpfBSrsR.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASN

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QNSpfBSrsR.exe.log
                                              Process:C:\Users\user\Desktop\QNSpfBSrsR.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1039
                                              Entropy (8bit):5.365622957937216
                                              Encrypted:false
                                              SSDEEP:24:ML9E4Ks29E4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7K84j:MxHKX9HKnYHKhQnoPtHoxHhAHKzvKvj
                                              MD5:FC95B72FA9788BDF0B8075C768FFDCEB
                                              SHA1:2ED2BE675DAF980B3061A622CBF795050F9A68DC
                                              SHA-256:37D8549A8145090B163B3C5D4A91231AFE1F66E7C1A7203BDE5D48147B0C3B5E
                                              SHA-512:B6CDA7870B3154B1D77663E4005EFA1C4EA210F955456FC8F8B2445FFCD52B41EAFAC2144E4F1B3BC86D4604F0E86DF5664921C354B313EF7E256162D604E459
                                              Malicious:true
                                              Reputation:low
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutra
                                              C:\Users\user\AppData\Local\Temp\2c99a7ed-ddac-ab7c-0bfe-56058ec17ef8
                                              Process:C:\Users\user\Desktop\QNSpfBSrsR.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):5.170009133144317
                                              Encrypted:false
                                              SSDEEP:3:jtVmFNNAS2hETnRjSx70R:R4FMlEDhSxAR
                                              MD5:EDDF4AFD9D3CE9C5D57234128FA4CD0F
                                              SHA1:6F93430D79476D6BFF5399B739FF8ACF25CFCB31
                                              SHA-256:65A2D13D0B38BEAD3D51E9F9E999301935E030CC0D0F316EF9F6BC2901ACA7CA
                                              SHA-512:0395D7F3E4A3214BAE3BF85FB2612A9F28CCC9F9041531A9896C4843B5D4500C90939782B3D4442BB910F29C280EF4D9DC45CCE027FD1E4F45DA1AA13CD93CA7
                                              Malicious:false
                                              Reputation:low
                                              Preview: 9wHh5F5EFWGRw9hKOrebnQMVAX1DfrU1/zj4/9fYO3TCqGAOjpHHJ9y6HHZF4qlc

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):5.138250665474018
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                              • Win32 Executable (generic) a (10002005/4) 49.97%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:QNSpfBSrsR.exe
                                              File size:7447752
                                              MD5:7da4f5e17791a774131c3c97538a2495
                                              SHA1:552b4a357b259935a35b06d040d7f2e3205c8e42
                                              SHA256:ac8ef770d70da42ea56d5b15fb5db0be89ae9250ac78b2bfd493843a50399a19
                                              SHA512:4c0460e29457f9910f5ebb4090fbaf1e29d28e4d2abb5f63dbe83061cdb306e0c545db97662f6a380e438d615ad3b9f43eec8d7b1f9b57eecff63ef45557ce7b
                                              SSDEEP:98304:eUYsXqrhgjzKQYaqTvH6nn0GRj27SchULsKSNiT3I0jibPQMpG:FqrwaPQj2hawI
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..................q...........q.. ....q...@.. ........................q......ur...@................................

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0xb1a60e
                                              Entrypoint Section:.text
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x5FD6B4F0 [Mon Dec 14 00:42:24 2020 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Authenticode Signature

                                              Signature Valid:false
                                              Signature Issuer:C=US, L=New York, OU=Baedefcfddfbcecebdabbeddf, O=Aeefdaeadcceedeacdeefbeaef, CN=Debffeeacbbfccdbbc
                                              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                              Error Number:-2146762487
                                              Not Before, Not After
                                              • 12/14/2020 1:42:24 AM 12/14/2021 1:42:24 AM
                                              Subject Chain
                                              • C=US, L=New York, OU=Baedefcfddfbcecebdabbeddf, O=Aeefdaeadcceedeacdeefbeaef, CN=Debffeeacbbfccdbbc
                                              Version:3
                                              Thumbprint MD5:0357455039907173BFA3B8FD74814EF2
                                              Thumbprint SHA-1:DA2C9B8B17C7345CD58419DECF60533552E7F006
                                              Thumbprint SHA-256:86046CCE2B43DEF5D347CAD7BC5BC139E33928D0C5896D5F48B5D0318A875FAE
                                              Serial:00D28C58DA0E5518BB07BE5158F1D013FE

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x71a5b40x57.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x718c000x18c8.text
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x71c0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x7186140x718800unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .reloc0x71c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              No network behavior found

                                              Code Manipulations

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: QNSpfBSrsR.exe PID: 6696 Parent PID: 5928

                                              General

                                              Start time:20:45:39
                                              Start date:14/12/2020
                                              Path:C:\Users\user\Desktop\QNSpfBSrsR.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\QNSpfBSrsR.exe'
                                              Imagebase:0x820000
                                              File size:7447752 bytes
                                              MD5 hash:7DA4F5E17791A774131C3C97538A2495
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:low

                                              Analysis Process: QNSpfBSrsR.exe PID: 7128 Parent PID: 6696

                                              General

                                              Start time:20:46:05
                                              Start date:14/12/2020
                                              Path:C:\Users\user\Desktop\QNSpfBSrsR.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\Desktop\QNSpfBSrsR.exe
                                              Imagebase:0x310000
                                              File size:7447752 bytes
                                              MD5 hash:7DA4F5E17791A774131C3C97538A2495
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low

                                              Analysis Process: QNSpfBSrsR.exe PID: 6384 Parent PID: 6696

                                              General

                                              Start time:20:46:07
                                              Start date:14/12/2020
                                              Path:C:\Users\user\Desktop\QNSpfBSrsR.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\Desktop\QNSpfBSrsR.exe
                                              Imagebase:0x30000
                                              File size:7447752 bytes
                                              MD5 hash:7DA4F5E17791A774131C3C97538A2495
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low

                                              Analysis Process: QNSpfBSrsR.exe PID: 2800 Parent PID: 6696

                                              General

                                              Start time:20:46:12
                                              Start date:14/12/2020
                                              Path:C:\Users\user\Desktop\QNSpfBSrsR.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\QNSpfBSrsR.exe
                                              Imagebase:0x7f0000
                                              File size:7447752 bytes
                                              MD5 hash:7DA4F5E17791A774131C3C97538A2495
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.1020981161.000000000358C000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.1017545701.000000000328D000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000003.727612080.0000000004A15000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_M00nD3vLogger, Description: Yara detected M00nD3v Logger, Source: 00000008.00000002.1017388940.0000000003211000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.1017907114.0000000003343000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.1014445392.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000008.00000002.1017257384.0000000003090000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.1017257384.0000000003090000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.1019556248.000000000347F000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.1021020173.00000000035A9000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.1019524329.0000000003462000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.1021102525.0000000004211000.00000004.00000001.sdmp, Author: Joe Security
                                              Reputation:low

                                              Analysis Process: vbc.exe PID: 4204 Parent PID: 2800

                                              General

                                              Start time:20:46:18
                                              Start date:14/12/2020
                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C49.tmp'
                                              Imagebase:0x400000
                                              File size:1171592 bytes
                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000000A.00000002.739382606.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000A.00000002.739382606.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:high

                                              Analysis Process: vbc.exe PID: 5732 Parent PID: 2800

                                              General

                                              Start time:20:46:18
                                              Start date:14/12/2020
                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9C48.tmp'
                                              Imagebase:0x400000
                                              File size:1171592 bytes
                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.739399669.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:high

                                              Analysis Process: vbc.exe PID: 7132 Parent PID: 2800

                                              General

                                              Start time:20:47:22
                                              Start date:14/12/2020
                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp989B.tmp'
                                              Imagebase:0x400000
                                              File size:1171592 bytes
                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000000F.00000002.876231898.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.876231898.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:high

                                              Analysis Process: vbc.exe PID: 7012 Parent PID: 2800

                                              General

                                              Start time:20:47:23
                                              Start date:14/12/2020
                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9CC3.tmp'
                                              Imagebase:0x400000
                                              File size:1171592 bytes
                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000010.00000002.878633274.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.878633274.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:high

                                              Analysis Process: vbc.exe PID: 4088 Parent PID: 2800

                                              General

                                              Start time:20:48:25
                                              Start date:14/12/2020
                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8FAF.tmp'
                                              Imagebase:0x400000
                                              File size:1171592 bytes
                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000013.00000002.1011864489.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000013.00000002.1011864489.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:high

                                              Analysis Process: vbc.exe PID: 1072 Parent PID: 2800

                                              General

                                              Start time:20:48:26
                                              Start date:14/12/2020
                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9398.tmp'
                                              Imagebase:0x400000
                                              File size:1171592 bytes
                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000014.00000002.1014010873.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Reset < >