Loading ...

Play interactive tourEdit tour

Analysis Report 5SOUNDPROOFING CATALOG___________________.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:163031
Start date:14.08.2019
Start time:06:05:17
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 9s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:5SOUNDPROOFING CATALOG___________________.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.troj.spyw.evad.winEXE@10/6@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 45.6% (good quality ratio 35.9%)
  • Quality average: 62.3%
  • Quality standard deviation: 39.4%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 241
  • Number of non-executed functions: 238
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
HawkEye
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Management Instrumentation111Scheduled Task1Access Token Manipulation1Software Packing3Credential Dumping1System Time Discovery1Application Deployment SoftwareData from Local System1Data Encrypted11Standard Cryptographic Protocol1
Replication Through Removable MediaExecution through API1Port MonitorsProcess Injection11Disabling Security Tools1Credentials in Files2Account Discovery1Remote ServicesClipboard Data1Exfiltration Over Other Network MediumRemote Access Tools1
Drive-by CompromiseScheduled Task1Accessibility FeaturesScheduled Task1Deobfuscate/Decode Files or Information11Credentials in Registry2Security Software Discovery241Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information3Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessAccess Token Manipulation1Account ManipulationSystem Information Discovery17Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection11Brute ForceQuery Registry1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionProcess Discovery4Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://a.pomf.cat/Avira URL Cloud: Label: malware
Source: https://a.pomf.cat/Google Safe Browsing: Label: malware
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\GcpGhOronG.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: 5SOUNDPROOFING CATALOG___________________.exeJoe Sandbox ML: detected
Multi AV Scanner detection for domain / URLShow sources
Source: https://a.pomf.cat/virustotal: Detection: 8%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpackAvira: Label: TR/Dropper.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,5_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,5_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,12_2_0040702D

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.24941502852.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.24941502852.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000002.25143916816.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Hotmail/MSN equals www.hotmail.com (Hotmail)
Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 00000005.00000003.24939804887.0000000000AB9000.00000004.00000001.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/welcomeie11/welcomeie11http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/http
Source: vbc.exe, 00000005.00000003.24939804887.0000000000AB9000.00000004.00000001.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/welcomeie11/welcomeie11http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/http
Source: vbc.exe, 00000005.00000002.24942392858.0000000000ABA000.00000004.00000001.sdmpString found in binary or memory: srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/welcomeie11/welcomeie11http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://tarifrechner.heise.de/widget.php?produkt=dslhttps://tarifrechner.heise.de/widget.phpfile:///C:/jbxinitvm.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlms-settings:windowsupdatefile://192.168.2.1/all/newvms/test.htmlfile://192.168.2.1/all/newvms/test.docfile://192.168.2.1/all/newvms/test.pdfhttps://www.google.com/accounts/servicel
Source: vbc.exe, 00000005.00000002.24942392858.0000000000ABA000.00000004.00000001.sdmpString found in binary or memory: srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/welcomeie11/welcomeie11http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://tarifrechner.heise.de/widget.php?produkt=dslhttps://tarifrechner.heise.de/widget.phpfile:///C:/jbxinitvm.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlms-settings:windowsupdatefile://192.168.2.1/all/newvms/test.htmlfile://192.168.2.1/all/newvms/test.docfile://192.168.2.1/all/newvms/test.pdfhttps://www.google.com/accounts/servicel
Urls found in memory or binary dataShow sources
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24888898269.00000000058DD000.00000004.00000001.sdmpString found in binary or memory: http://en.w)
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24889061336.00000000058DD000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24933170549.0000000005A26000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24888607733.00000000058DD000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com:
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24938970908.000000000A4B1000.00000004.00000001.sdmp, 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25308406154.0000000000752000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24894971385.00000000058E6000.00000004.00000001.sdmpString found in binary or memory: http://w.
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24933170549.0000000005A26000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24902535879.00000000058E6000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24895096486.00000000058E6000.00000004.00000001.sdmp, 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24894971385.00000000058E6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24894603976.00000000058E6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24933170549.0000000005A26000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24895096486.00000000058E6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24894971385.00000000058E6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.G
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24933170549.0000000005A26000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24893030141.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24893633920.00000000058DD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24892281390.00000000058DD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24893633920.00000000058DD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/O
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24892077255.00000000058DD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/T
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24893392910.00000000058DD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/W
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24933170549.0000000005A26000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24933170549.0000000005A26000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24893030141.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnH
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24893030141.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cndnl
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24893633920.00000000058DD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh-t
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24893030141.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnq
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24893030141.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnu
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24933170549.0000000005A26000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24891910035.00000000058DD000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krT
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24897147657.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24897147657.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24898047825.00000000058E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/B
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24897147657.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24897147657.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24897147657.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-b
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24897147657.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24897147657.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24896221521.00000000058E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/iy/
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24897147657.00000000058EC000.00000004.00000001.sdmp, 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24898047825.00000000058E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24897147657.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24897147657.00000000058EC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/B
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24902945412.00000000058E6000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24898257628.00000000058E5000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.=
Source: vbc.exe, 00000005.00000002.24941110337.0000000000193000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, vbc.exe, 0000000C.00000002.25143916816.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24933170549.0000000005A26000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24902945412.00000000058E6000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24891804026.00000000058F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24891768861.00000000058DD000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr#
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24892077255.00000000058DD000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krt
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24933170549.0000000005A26000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24893753568.00000000058DD000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comg
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24933170549.0000000005A26000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24894482258.00000000058E6000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000003.24894482258.00000000058E6000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.G
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
Source: vbc.exe, 00000005.00000002.24942392858.0000000000ABA000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://w
Source: vbc.exe, 00000005.00000003.24937648000.0000000002290000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.24939804887.0000000000AB9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,5_2_0040F078

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0000000C.00000002.25143916816.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT
Source: 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT
Source: 00000004.00000002.25311049621.0000000002BC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn
Source: 00000004.00000002.25308406154.0000000000752000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn
Source: 00000000.00000002.24938970908.000000000A4B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn
Source: 12.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.2690000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.2690000.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT
Source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT
Contains functionality to call native functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,FindCloseChangeNotification,5_2_0040978A
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186C9C00_2_0186C9C0
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186C5C80_2_0186C5C8
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018621E80_2_018621E8
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_01869D100_2_01869D10
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018675500_2_01867550
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018628D80_2_018628D8
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186D0080_2_0186D008
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_01861C180_2_01861C18
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186EC300_2_0186EC30
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186AC380_2_0186AC38
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186A7A80_2_0186A7A8
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018643C00_2_018643C0
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018633C00_2_018633C0
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186D3600_2_0186D360
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018652980_2_01865298
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_01863AC80_2_01863AC8
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018651980_2_01865198
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186C9B00_2_0186C9B0
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018669B80_2_018669B8
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186C5B90_2_0186C5B9
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018669C80_2_018669C8
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018651E90_2_018651E9
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186D5000_2_0186D500
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018675000_2_01867500
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_01869D000_2_01869D00
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018671090_2_01867109
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018671180_2_01867118
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186B12A0_2_0186B12A
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018675400_2_01867540
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186A0880_2_0186A088
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186A0980_2_0186A098
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018670980_2_01867098
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018628C90_2_018628C9
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186D4F00_2_0186D4F0
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186E8000_2_0186E800
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_01861C080_2_01861C08
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186EC200_2_0186EC20
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186AC290_2_0186AC29
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186DB890_2_0186DB89
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186DB980_2_0186DB98
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186BF980_2_0186BF98
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186A7990_2_0186A799
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186BFA00_2_0186BFA0
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018643B00_2_018643B0
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186CFF80_2_0186CFF8
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186331C0_2_0186331C
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186D3500_2_0186D350
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_01866F580_2_01866F58
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018673660_2_01867366
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_01866F680_2_01866F68
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_018673680_2_01867368
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_01865F680_2_01865F68
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_01865F780_2_01865F78
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186AE980_2_0186AE98
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_01863AB90_2_01863AB9
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186AEE80_2_0186AEE8
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186AEF80_2_0186AEF8
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02667A204_2_02667A20
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02663C004_2_02663C00
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026608B04_2_026608B0
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026658904_2_02665890
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02660D704_2_02660D70
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026675084_2_02667508
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02667F104_2_02667F10
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_0266A1F04_2_0266A1F0
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02664DB04_2_02664DB0
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02661D804_2_02661D80
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02668B804_2_02668B80
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026649984_2_02664998
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026684484_2_02668448
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02666A224_2_02666A22
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02666A304_2_02666A30
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026684394_2_02668439
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02663E004_2_02663E00
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026608014_2_02660801
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02667A114_2_02667A11
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026632184_2_02663218
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02667EC14_2_02667EC1
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026658804_2_02665880
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026627214_2_02662721
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02661D2A4_2_02661D2A
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026627304_2_02662730
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02666D304_2_02666D30
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02662F004_2_02662F00
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02663BF24_2_02663BF2
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02663DF24_2_02663DF2
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026645C04_2_026645C0
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026641CA4_2_026641CA
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026641D84_2_026641D8
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_02664DA14_2_02664DA1
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_026645B24_2_026645B2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0044900F5_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004042EB5_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004142815_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004102915_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004063BB5_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004156245_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0041668D5_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040477F5_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040487C5_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0043589B5_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0043BA9D5_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0043FBD35_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404DE512_2_00404DE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404E5612_2_00404E56
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404EC712_2_00404EC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404F5812_2_00404F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040BF6B12_2_0040BF6B
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 32 times
Sample file is different than original file name gathered from version infoShow sources
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24936716998.0000000008930000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 5SOUNDPROOFING CATALOG___________________.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000000.24884252156.0000000000D70000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMinesweeper.exe8 vs 5SOUNDPROOFING CATALOG___________________.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCyaX.dll0 vs 5SOUNDPROOFING CATALOG___________________.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs 5SOUNDPROOFING CATALOG___________________.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24937079129.00000000089E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 5SOUNDPROOFING CATALOG___________________.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24937079129.00000000089E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 5SOUNDPROOFING CATALOG___________________.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24936921610.0000000008990000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 5SOUNDPROOFING CATALOG___________________.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 5SOUNDPROOFING CATALOG___________________.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25308301976.0000000000380000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMinesweeper.exe8 vs 5SOUNDPROOFING CATALOG___________________.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309094688.00000000009F0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs 5SOUNDPROOFING CATALOG___________________.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25311049621.0000000002BC9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs 5SOUNDPROOFING CATALOG___________________.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25312893345.0000000007A90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 5SOUNDPROOFING CATALOG___________________.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25311909056.0000000004CE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmiutils.dll.muij% vs 5SOUNDPROOFING CATALOG___________________.exe
Source: 5SOUNDPROOFING CATALOG___________________.exeBinary or memory string: OriginalFilenameMinesweeper.exe8 vs 5SOUNDPROOFING CATALOG___________________.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeFile read: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSection loaded: wow64log.dllJump to behavior
Yara signature matchShow sources
Source: 0000000C.00000002.25143916816.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000004.00000002.25311049621.0000000002BC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.25308406154.0000000000752000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.24938970908.000000000A4B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.2690000.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.2690000.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: 5SOUNDPROOFING CATALOG___________________.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: GcpGhOronG.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
.NET source code contains many API calls related to securityShow sources
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@10/6@0/0
Contains functionality for error loggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,5_2_00417BE9
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_06AB2336 AdjustTokenPrivileges,0_2_06AB2336
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_06AB22FF AdjustTokenPrivileges,0_2_06AB22FF
Contains functionality to check free disk spaceShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,5_2_00418073
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,5_2_00413424
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource,5_2_004141E0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeFile created: C:\Users\user\AppData\Roaming\GcpGhOronG.exeJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeFile created: C:\Users\user\AppData\Local\Temp\tmp810B.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 5SOUNDPROOFING CATALOG___________________.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries a list of all open handlesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
SQL strings found in memory and binary dataShow sources
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.24941502852.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exe 'C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GcpGhOronG' /XML 'C:\Users\user\AppData\Local\Temp\tmp810B.tmp'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exe C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8E3A.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp807A.tmp'
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GcpGhOronG' /XML 'C:\Users\user\AppData\Local\Temp\tmp810B.tmp'Jump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess created: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exe C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8E3A.tmp'Jump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp807A.tmp'Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: 5SOUNDPROOFING CATALOG___________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: 5SOUNDPROOFING CATALOG___________________.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdbdD~D pD_CorDllMainmscoree.dll source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: mscorrc.pdb source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24936716998.0000000008930000.00000002.00000001.sdmp, 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25312893345.0000000007A90000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_004443B0
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_00CB10BE push edi; retf 0_2_00CB1126
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_00CB106F push edi; retf 0_2_00CB1126
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_00CB2FBF push eax; ret 0_2_00CB2FC1
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186497D pushad ; ret 0_2_01864983
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_01864979 pushad ; ret 0_2_0186497C
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 0_2_0186827E push ebx; iretd 0_2_0186827F
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_002C106F push edi; retf 4_2_002C1126
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_002C10BE push edi; retf 4_2_002C1126
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeCode function: 4_2_002C2FBF push eax; ret 4_2_002C2FC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00444975 push ecx; ret 5_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00444B90 push eax; ret 5_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00444B90 push eax; ret 5_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00448E74 push eax; ret 5_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0042CF44 push ebx; retf 0042h5_2_0042CF49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00412341 push ecx; ret 12_2_00412351
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00412360 push eax; ret 12_2_00412374
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00412360 push eax; ret 12_2_0041239C
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.93449755311
Source: initial sampleStatic PE information: section name: .text entropy: 7.93449755311

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeFile created: C:\Users\user\AppData\Roaming\GcpGhOronG.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GcpGhOronG' /XML 'C:\Users\user\AppData\Local\Temp\tmp810B.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00443A61
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmp, 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,FindCloseChangeNotification,5_2_0040978A
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeThread delayed: delay time: 922337203685477Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exe TID: 3952Thread sleep time: -57476s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exe TID: 5040Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exe TID: 5108Thread sleep count: 208 > 30Jump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exe TID: 5108Thread sleep time: -208000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exe TID: 5048Thread sleep count: 111 > 30Jump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exe TID: 5048Thread sleep time: -111000s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,5_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,5_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,12_2_0040702D
Contains functionality to query system informationShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0041829C memset,GetSystemInfo,5_2_0041829C
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II,SOFTWARE\Microsoft\Windows Defender\Features
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmpBinary or memory string: vmware
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmpBinary or memory string: VMWARE
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24928585907.00000000034A0000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,FindCloseChangeNotification,5_2_0040978A
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_004443B0
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functionsShow sources
Source: 4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeMemory written: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exe base: 750000 value starts with: 4D5AJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309467071.0000000001140000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309467071.0000000001140000.00000002.00000001.sdmpBinary or memory string: Progman
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309467071.0000000001140000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25309467071.0000000001140000.00000002.00000001.sdmpBinary or memory string: Program Manager>

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,5_2_00418137
Contains functionality to query the account / user nameShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,12_2_004073B6
Contains functionality to query windows versionShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004083A1 GetVersionExW,5_2_004083A1
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\5SOUNDPROOFING CATALOG___________________.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: avguard.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: avp.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: avgui.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: mbam.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25310990705.0000000002BB0000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\xwt1js18.default\pkcs11.txtJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xwt1js18.default\pkcs11.txtJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xwt1js18.default\cert9.dbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xwt1js18.default\places.sqliteJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xwt1js18.default\key4.dbJump to behavior
Tries to steal Instant Messenger accounts or passwordsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword12_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword12_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword12_2_004033B1

Remote Access Functionality:

barindex
Detected HawkEye RatShow sources
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000000.00000002.24938970908.000000000A4B1000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: 5SOUNDPROOFING CATALOG___________________.exe, 00000004.00000002.25308406154.0000000000752000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 163031 Sample: 5SOUNDPROOFING CATALOG_____... Startdate: 14/08/2019 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for domain / URL 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus detection for URL or domain 2->34 36 7 other signatures 2->36 7 5SOUNDPROOFING CATALOG___________________.exe 9 2->7         started        process3 file4 22 C:\Users\user\AppData\...behaviorgraphcpGhOronG.exe, PE32 7->22 dropped 24 C:\Users\...behaviorgraphcpGhOronG.exe:Zone.Identifier, ASCII 7->24 dropped 26 C:\Users\user\AppData\Local\...\tmp810B.tmp, XML 7->26 dropped 28 5SOUNDPROOFING CAT...___________.exe.log, ASCII 7->28 dropped 38 Injects a PE file into a foreign processes 7->38 11 5SOUNDPROOFING CATALOG___________________.exe 5 7->11         started        13 schtasks.exe 1 7->13         started        signatures5 process6 process7 15 vbc.exe 12 11->15         started        18 vbc.exe 11->18         started        20 conhost.exe 13->20         started        signatures8 40 Tries to steal Mail credentials (via file registry) 15->40 42 Tries to harvest and steal browser information (history, passwords, etc) 15->42 44 Tries to steal Instant Messenger accounts or passwords 18->44 46 Tries to steal Mail credentials (via file access) 18->46

Simulations

Behavior and APIs

TimeTypeDescription
06:06:46API Interceptor4x Sleep call for process: 5SOUNDPROOFING CATALOG___________________.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
5SOUNDPROOFING CATALOG___________________.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\GcpGhOronG.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
5.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1008636Download File
4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpack100%AviraTR/Dropper.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pomf.cat/upload.php&https://a.pomf.cat/0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/jp/B0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/bThe0%Google Safe Browsingsafe
http://www.tiro.com0%virustotalBrowse
http://www.tiro.com0%Avira URL Cloudsafe
http://www.goodfont.co.kr0%virustotalBrowse
http://www.goodfont.co.kr0%Avira URL Cloudsafe
http://www.goodfont.co.kr0%Google Safe Browsingsafe
http://www.carterandcone.com0%virustotalBrowse
http://www.carterandcone.com0%Avira URL Cloudsafe
http://www.carterandcone.com0%Google Safe Browsingsafe
http://www.sandoll.co.kr#0%virustotalBrowse
http://www.sandoll.co.kr#0%Avira URL Cloudsafe
http://www.founder.com.cn/cnH0%Avira URL Cloudsafe
http://www.carterandcone.com.0%virustotalBrowse
http://www.carterandcone.com.0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/jp/:0%Avira URL Cloudsafe
http://www.sajatypeworks.com0%virustotalBrowse
http://www.sajatypeworks.com0%Avira URL Cloudsafe
http://www.sajatypeworks.com0%Google Safe Browsingsafe
http://www.typography.netD0%Avira URL Cloudsafe
http://www.typography.netD0%Google Safe Browsingsafe
http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/cThe0%Google Safe Browsingsafe
http://www.founder.com.cn/cnq0%Avira URL Cloudsafe
https://a.pomf.cat/9%virustotalBrowse
https://a.pomf.cat/100%Avira URL Cloudmalware
https://a.pomf.cat/100%Google Safe Browsingmalware
http://fontfabrik.com0%virustotalBrowse
http://fontfabrik.com0%Avira URL Cloudsafe
http://fontfabrik.com0%Google Safe Browsingsafe
http://www.founder.com.cn/cn/W0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/30%Avira URL Cloudsafe
http://w.0%Avira URL Cloudsafe
http://www.founder.com.cn/cnu0%Avira URL Cloudsafe
http://www.goodfont.co.krT0%Avira URL Cloudsafe
http://www.ascendercorp.com/typedesigners.html0%virustotalBrowse
http://www.ascendercorp.com/typedesigners.html0%Avira URL Cloudsafe
http://www.ascendercorp.com/typedesigners.html0%Google Safe Browsingsafe
http://www.sandoll.co.kr0%virustotalBrowse
http://www.sandoll.co.kr0%Avira URL Cloudsafe
http://www.sandoll.co.kr0%Google Safe Browsingsafe
http://www.zhongyicts.com.cn1%virustotalBrowse
http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
http://www.zhongyicts.com.cn0%Google Safe Browsingsafe
http://www.carterandcone.como.0%Avira URL Cloudsafe
http://www.carterandcone.como.0%Google Safe Browsingsafe
http://www.sakkal.com0%virustotalBrowse
http://www.sakkal.com0%Avira URL Cloudsafe
http://www.sakkal.com0%Google Safe Browsingsafe
http://www.founder.com.cn/cnh-t0%Avira URL Cloudsafe
http://pomf.cat/upload.php6%virustotalBrowse
http://pomf.cat/upload.php0%Avira URL Cloudsafe
http://www.founder.com.cn/cndnl0%Avira URL Cloudsafe
http://www.sandoll.co.krt0%Avira URL Cloudsafe
http://www.carterandcone.como.G0%Avira URL Cloudsafe
http://www.founder.com.c0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/P0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/I0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/jp/0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/jp/0%Google Safe Browsingsafe
http://www.founder.com.cn/cn/T0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/B0%Avira URL Cloudsafe
http://en.wikip0%Avira URL Cloudsafe
http://en.wikip0%Google Safe Browsingsafe
http://www.zhongyicts.com.cno.G0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/O0%Avira URL Cloudsafe
http://www.carterandcone.coml0%Avira URL Cloudsafe
http://www.carterandcone.coml0%Google Safe Browsingsafe
http://www.founder.com.cn/cn/0%virustotalBrowse
http://www.founder.com.cn/cn/0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/0%Google Safe Browsingsafe
http://www.jiyu-kobo.co.jp/Y0-b0%Avira URL Cloudsafe
http://www.founder.com.cn/cn0%virustotalBrowse
http://www.founder.com.cn/cn0%Avira URL Cloudsafe
http://www.founder.com.cn/cn0%Google Safe Browsingsafe
http://en.w)0%Avira URL Cloudsafe
http://fontfabrik.com:0%virustotalBrowse
http://fontfabrik.com:0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Y0/0%Avira URL Cloudsafe
http://www.monotype.0%Avira URL Cloudsafe
http://www.monotype.0%Google Safe Browsingsafe
http://www.jiyu-kobo.co.jp/0%virustotalBrowse
http://www.jiyu-kobo.co.jp/0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/0%Google Safe Browsingsafe
http://www.jiyu-kobo.co.jp/iy/0%Avira URL Cloudsafe
http://www.tiro.comg0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/f0%Avira URL Cloudsafe
http://www.monotype.=0%Avira URL Cloudsafe
http://pomf.cat/upload.phpCContent-Disposition:0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.25143916816.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
  • 0x147b0:$a1: logins.json
  • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
  • 0x14f34:$s4: \mozsqlite3.dll
  • 0x137a4:$s5: SMTP Password
00000004.00000002.25309681332.0000000002690000.00000004.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
  • 0x6b4fa:$a1: logins.json
  • 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
  • 0x6bc7e:$s4: \mozsqlite3.dll
  • 0x6a4ee:$s5: SMTP Password
00000004.00000002.25311049621.0000000002BC9000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x8f524:$s1: H\x00a\x00w\x00k\x00E\x00y\x00e\x00 \x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x8e620:$s2: _ScreenshotLogger
  • 0x8eb6c:$s2: _ScreenshotLogger
  • 0x8e5ed:$s3: _PasswordStealer
  • 0x8eb39:$s3: _PasswordStealer
00000004.00000002.25308406154.0000000000752000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x87a2e:$s1: H\x00a\x00w\x00k\x00E\x00y\x00e\x00 \x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x87a97:$s1: H\x00a\x00w\x00k\x00E\x00y\x00e\x00 \x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x80e71:$s2: _ScreenshotLogger
  • 0x80e3e:$s3: _PasswordStealer
00000000.00000002.24938970908.000000000A4B1000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x2268e6:$s1: H\x00a\x00w\x00k\x00E\x00y\x00e\x00 \x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x22694f:$s1: H\x00a\x00w\x00k\x00E\x00y\x00e\x00 \x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x2b0b06:$s1: H\x00a\x00w\x00k\x00E\x00y\x00e\x00 \x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x2b0b6f:$s1: H\x00a\x00w\x00k\x00E\x00y\x00e\x00 \x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x21fd29:$s2: _ScreenshotLogger
  • 0x2a9f49:$s2: _ScreenshotLogger
  • 0x21fcf6:$s3: _PasswordStealer
  • 0x2a9f16:$s3: _PasswordStealer

Unpacked PEs

SourceRuleDescriptionAuthorStrings
12.2.vbc.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
  • 0x147b0:$a1: logins.json
  • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
  • 0x14f34:$s4: \mozsqlite3.dll
  • 0x137a4:$s5: SMTP Password
4.2.5SOUNDPROOFING CATALOG___________________.exe.750000.1.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x87c2e:$s1: H\x00a\x00w\x00k\x00E\x00y\x00e\x00 \x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x87c97:$s1: H\x00a\x00w\x00k\x00E\x00y\x00e\x00 \x00K\x00e\x00y\x00l\x00o\x00g\x00g\x00e\x00r\x00
  • 0x81071:$s2: _ScreenshotLogger
  • 0x8103e:$s3: _PasswordStealer
4.2.5SOUNDPROOFING CATALOG___________________.exe.2690000.2.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
  • 0x6b4fa:$a1: logins.json
  • 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
  • 0x6bc7e:$s4: \mozsqlite3.dll
  • 0x6a4ee:$s5: SMTP Password
4.2.5SOUNDPROOFING CATALOG___________________.exe.2690000.2.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
  • 0x696fa:$a1: logins.json
  • 0x6965a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
  • 0x69e7e:$s4: \mozsqlite3.dll
  • 0x686ee:$s5: SMTP Password
12.2.vbc.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
  • 0x131b0:$a1: logins.json
  • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
  • 0x13934:$s4: \mozsqlite3.dll
  • 0x121a4:$s5: SMTP Password

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.