Analysis Report PO 2010029_pdf Quotation from Alibaba Ale.exe

Overview

General Information

Sample Name: PO 2010029_pdf Quotation from Alibaba Ale.exe
Analysis ID: 341324
MD5: 134bf4ddd2a72c5c396647f7037af0e1
SHA1: 83407c5d075e7a8664bd50b1cfe6d82eb936342e
SHA256: 76db811bca515b8c2f782394e24b4bbce6269211f6e8971b4897bdffd554303b
Tags: exe

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\folder\file.exe Avira: detection malicious, Label: HEUR/AGEN.1138127
Found malware configuration
Source: vbc.exe.5556.8.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\folder\file.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 39%
Multi AV Scanner detection for submitted file
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe ReversingLabs: Detection: 39%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\folder\file.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 9.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 9.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack Avira: Label: TR/Inject.vcoldi
Source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack Avira: Label: TR/Inject.vcoldi
Source: 14.2.WindowsUpdate.exe.1620000.2.unpack Avira: Label: TR/Inject.vcoldi
Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 14.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 14.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack Avira: Label: TR/Inject.vcoldi
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack Avira: Label: TR/Inject.vcoldi
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack Avira: Label: TR/Inject.vcoldi

Compliance:

barindex
Uses 32bit PE files
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses new MSVCR Dlls
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: indows\System.pdbpdbtem.pdbUs source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: System.Runtime.Remoting.pdbmoting.pdbpdbing.pdbg\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
Source: Binary string: ~symbols\dll\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb: source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760524179.000000001F6A7000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdbM source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760461215.000000001F666000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb_ source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp
Source: Binary string: 1FoC:\Windows\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
Source: Binary string: 1FoC:\Windows\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe
Source: Binary string: System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
Source: Binary string: rlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759251701.000000001DD20000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\System.pdbd source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbe.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb" source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\System.Runtime.Remoting.pdbsI source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.750712522.0000000000E36000.00000004.00000020.sdmp
Source: Binary string: mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbA source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe
Source: Binary string: .pdbmscorlibsymbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbH source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb{ source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp

Spreading:

barindex
May infect USB drives
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Binary or memory string: [autorun]
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Binary or memory string: autorun.inf
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: autorun.inf
Source: WindowsUpdate.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: autorun.inf
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00404A29 FindFirstFileExW, 0_2_00404A29
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C118BD FindFirstFileExA, 0_2_00C118BD
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C11BA6 FindFirstFileExW,FindClose,FindNextFileW, 0_2_00C11BA6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 7_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 8_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 8_2_00407E0E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00404A29 FindFirstFileExW, 9_2_00404A29
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A318BD FindFirstFileExA, 9_2_00A318BD
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A31BA6 FindFirstFileExW,FindClose,FindNextFileW, 9_2_00A31BA6
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A31D31 FindFirstFileExA, 9_2_00A31D31
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A31D5C FindFirstFileExW, 9_2_00A31D5C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00404A29 FindFirstFileExW, 14_2_00404A29
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A318BD FindFirstFileExA, 14_2_00A318BD
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A31BA6 FindFirstFileExW,FindClose,FindNextFileW, 14_2_00A31BA6
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A31D31 FindFirstFileExA, 14_2_00A31D31
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A31D5C FindFirstFileExW, 14_2_00A31D5C

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 9_2_1D4F0728
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 14_2_1B780728

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.155.36 104.16.155.36
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.687360804.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.687360804.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: WindowsUpdate.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000008.00000003.687221206.0000000000C0E000.00000004.00000001.sdmp String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
Source: vbc.exe, 00000008.00000003.687221206.0000000000C0E000.00000004.00000001.sdmp String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: 35.37.15.0.in-addr.arpa
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp String found in binary or memory: http://crl.m
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 00000009.00000002.711861825.000000001B201000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.727436272.000000001BB01000.00000004.00000001.sdmp String found in binary or memory: http://foo.com/fooT
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com03
Source: WindowsUpdate.exe String found in binary or memory: http://whatismyipaddress.com/
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.669445042.000000001DF35000.00000004.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmp String found in binary or memory: http://www.agfamonotype.
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665880005.000000001DF18000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com6
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comce
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comsig
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.666711909.000000001DF0D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.667302759.000000001DF0D000.00000004.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759400107.000000001DF00000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comgrito
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.667302759.000000001DF0D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comiond
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.663981836.000000001DF15000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665148269.000000001DF05000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/%k
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665220746.000000001DF05000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/.kL
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/8k~
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665220746.000000001DF05000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/pk
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/el-g
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/fk
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665220746.000000001DF05000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/%k
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/.kL
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665333527.000000001DF08000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/yk?
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ok
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/pk
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665148269.000000001DF05000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/yk?
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.668830663.000000001DF35000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: WindowsUpdate.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: vbc.exe, 00000008.00000003.687221206.0000000000C0E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
Source: WindowsUpdate.exe String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6204, type: MEMORY
Source: Yara match File source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 6184, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6748, type: MEMORY
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.WindowsUpdate.exe.1620000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.WindowsUpdate.exe.1dc90000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WindowsUpdate.exe.1ab70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WindowsUpdate.exe.1d3a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.WindowsUpdate.exe.1620000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs .Net Code: HookKeyboard
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs .Net Code: HookKeyboard
Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, Form1.cs .Net Code: HookKeyboard
Installs a global keyboard hook
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 7_2_0040AC8A

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.WindowsUpdate.exe.1620000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WindowsUpdate.exe.1620000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.WindowsUpdate.exe.1dc90000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WindowsUpdate.exe.1dc90000.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.WindowsUpdate.exe.1ab70000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.WindowsUpdate.exe.1ab70000.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.WindowsUpdate.exe.1d3a0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.WindowsUpdate.exe.1d3a0000.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.WindowsUpdate.exe.1620000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WindowsUpdate.exe.1620000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: initial sample Static PE information: Filename: PO 2010029_pdf Quotation from Alibaba Ale.exe
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 8_2_00408836
Detected potential crypto function
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_0040A2A5 0_2_0040A2A5
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C240F1 0_2_00C240F1
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C221EF 0_2_00C221EF
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00BF012A 0_2_00BF012A
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C2526F 0_2_00C2526F
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00BFA20A 0_2_00BFA20A
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00BF0352 0_2_00BF0352
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C245ED 0_2_00C245ED
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00BF05C2 0_2_00BF05C2
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C1975E 0_2_00C1975E
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00BFD8C0 0_2_00BFD8C0
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00BF0823 0_2_00BF0823
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00BE3998 0_2_00BE3998
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00BEFA9C 0_2_00BEFA9C
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00BF0A84 0_2_00BF0A84
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C24A05 0_2_00C24A05
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C1ABCC 0_2_00C1ABCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404DDB 7_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0040BD8A 7_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404E4C 7_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404EBD 7_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404F4E 7_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00404419 8_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00404516 8_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00413538 8_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004145A1 8_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040E639 8_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004337AF 8_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004399B1 8_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0043DAE7 8_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00405CF6 8_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00403F85 8_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00411F99 8_2_00411F99
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_0040A2A5 9_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A440F1 9_2_00A440F1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A421EF 9_2_00A421EF
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A1012A 9_2_00A1012A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A1A20A 9_2_00A1A20A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A4526F 9_2_00A4526F
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A10352 9_2_00A10352
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A445ED 9_2_00A445ED
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A105C2 9_2_00A105C2
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A3975E 9_2_00A3975E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A1D8C0 9_2_00A1D8C0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A10823 9_2_00A10823
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A03998 9_2_00A03998
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A10A84 9_2_00A10A84
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A0FA9C 9_2_00A0FA9C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A44A05 9_2_00A44A05
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A3ABCC 9_2_00A3ABCC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A0FCC4 9_2_00A0FCC4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A3DDAA 9_2_00A3DDAA
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A1DD60 9_2_00A1DD60
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A1AEE0 9_2_00A1AEE0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A0FEF7 9_2_00A0FEF7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A3DED7 9_2_00A3DED7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A44E3A 9_2_00A44E3A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A1CFA0 9_2_00A1CFA0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_0040A2A5 14_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A440F1 14_2_00A440F1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A421EF 14_2_00A421EF
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A1012A 14_2_00A1012A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A1A20A 14_2_00A1A20A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A4526F 14_2_00A4526F
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A10352 14_2_00A10352
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A445ED 14_2_00A445ED
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A105C2 14_2_00A105C2
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A3975E 14_2_00A3975E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A1D8C0 14_2_00A1D8C0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A10823 14_2_00A10823
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A03998 14_2_00A03998
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A10A84 14_2_00A10A84
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A0FA9C 14_2_00A0FA9C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A44A05 14_2_00A44A05
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A3ABCC 14_2_00A3ABCC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A0FCC4 14_2_00A0FCC4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A3DDAA 14_2_00A3DDAA
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A1DD60 14_2_00A1DD60
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A1AEE0 14_2_00A1AEE0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A0FEF7 14_2_00A0FEF7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A3DED7 14_2_00A3DED7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A44E3A 14_2_00A44E3A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A1CFA0 14_2_00A1CFA0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_1B472478 14_2_1B472478
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: String function: 00BE1BB0 appears 67 times
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: String function: 00C0894D appears 48 times
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: String function: 00C063DC appears 37 times
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: String function: 00BE1080 appears 69 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00A02AC1 appears 36 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00A263DC appears 92 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00401ED0 appears 46 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 0040569E appears 36 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00A01080 appears 192 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00A0302C appears 44 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00A01BB0 appears 165 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00A2894D appears 108 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00A09F33 appears 46 times
One or more processes crash
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2532
PE file contains strange resources
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: file.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Binary or memory string: OriginalFilename vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Binary or memory string: OriginalFileName vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.758970609.000000001DA62000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755045062.000000001B1A0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759251701.000000001DD20000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755169901.000000001B290000.00000002.00000001.sdmp Binary or memory string: originalfilename vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755169901.000000001B290000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760654020.000000001F730000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: security.dll Jump to behavior
Uses 32bit PE files
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.WindowsUpdate.exe.1620000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.WindowsUpdate.exe.1620000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.WindowsUpdate.exe.a00000.1.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 14.2.WindowsUpdate.exe.a00000.1.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 0.0.PO 2010029_pdf Quotation from Alibaba Ale.exe.be0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 14.0.WindowsUpdate.exe.a00000.0.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 9.0.WindowsUpdate.exe.a00000.0.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 14.2.WindowsUpdate.exe.1dc90000.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.WindowsUpdate.exe.1dc90000.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.WindowsUpdate.exe.1ab70000.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 9.2.WindowsUpdate.exe.1ab70000.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 9.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.be0000.1.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.WindowsUpdate.exe.1d3a0000.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 9.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 9.2.WindowsUpdate.exe.1d3a0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.WindowsUpdate.exe.1620000.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.WindowsUpdate.exe.1620000.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs Base64 encoded string: 'ugaRi50M9oh3clpYn7+YE9uvSwepeMxgQYfH/J9PFXCSaU0npmgxrHOyHmnIJwUYxxz07aqO6YrRDYhFRffLnQ9jsWPCji3hDJrDPbYtoe4='
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs Base64 encoded string: 'ugaRi50M9oh3clpYn7+YE9uvSwepeMxgQYfH/J9PFXCSaU0npmgxrHOyHmnIJwUYxxz07aqO6YrRDYhFRffLnQ9jsWPCji3hDJrDPbYtoe4='
Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, Form1.cs Base64 encoded string: 'ugaRi50M9oh3clpYn7+YE9uvSwepeMxgQYfH/J9PFXCSaU0npmgxrHOyHmnIJwUYxxz07aqO6YrRDYhFRffLnQ9jsWPCji3hDJrDPbYtoe4='
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@14/11@3/4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 8_2_00415AFD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 8_2_00415F87
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle, 8_2_00411196
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, 0_2_00401489
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File created: C:\Users\user\AppData\Roaming\pid.txt Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6116:120:WilError_01
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File created: C:\Users\user\AppData\Local\Temp\folder Jump to behavior
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: WindowsUpdate.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: WindowsUpdate.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.687360804.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: WindowsUpdate.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: WindowsUpdate.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: WindowsUpdate.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: WindowsUpdate.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File read: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe 'C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2532
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml' Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2532 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml' Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static file information: File size 1086464 > 1048576
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: indows\System.pdbpdbtem.pdbUs source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: System.Runtime.Remoting.pdbmoting.pdbpdbing.pdbg\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
Source: Binary string: ~symbols\dll\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb: source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760524179.000000001F6A7000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdbM source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760461215.000000001F666000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb_ source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp
Source: Binary string: 1FoC:\Windows\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
Source: Binary string: 1FoC:\Windows\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe
Source: Binary string: System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
Source: Binary string: rlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759251701.000000001DD20000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\System.pdbd source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbe.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb" source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\System.Runtime.Remoting.pdbsI source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.750712522.0000000000E36000.00000004.00000020.sdmp
Source: Binary string: mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbA source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe
Source: Binary string: .pdbmscorlibsymbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbH source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb{ source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00403C3D LoadLibraryA,GetProcAddress,strcpy, 7_2_00403C3D
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00401F16 push ecx; ret 0_2_00401F29
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00BE1BF6 push ecx; ret 0_2_00BE1C09
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00411879 push ecx; ret 7_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004118A0 push eax; ret 7_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004118A0 push eax; ret 7_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00442871 push ecx; ret 8_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00442A90 push eax; ret 8_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00442A90 push eax; ret 8_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00446E54 push eax; ret 8_2_00446E61
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00401F16 push ecx; ret 9_2_00401F29
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A01BF6 push ecx; ret 9_2_00A01C09
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00401F16 push ecx; ret 14_2_00401F29
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A01BF6 push ecx; ret 14_2_00A01C09

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File created: \po 2010029_pdf quotation from alibaba ale.exe Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File created: \po 2010029_pdf quotation from alibaba ale.exe Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File created: \po 2010029_pdf quotation from alibaba ale.exe Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File created: \po 2010029_pdf quotation from alibaba ale.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File created: C:\Users\user\AppData\Local\Temp\folder\file.exe Jump to dropped file
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml'
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon (5001).png
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 7_2_0040F64B
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 8_2_00408836
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Thread delayed: delay time: 1500000 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\folder\file.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 1556 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 5724 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 3436 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 612 Thread sleep time: -1500000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6396 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6928 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6928 Thread sleep time: -1500000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6928 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6944 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6912 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00404A29 FindFirstFileExW, 0_2_00404A29
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C118BD FindFirstFileExA, 0_2_00C118BD
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C11BA6 FindFirstFileExW,FindClose,FindNextFileW, 0_2_00C11BA6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 7_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 8_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 8_2_00407E0E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00404A29 FindFirstFileExW, 9_2_00404A29
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A318BD FindFirstFileExA, 9_2_00A318BD
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A31BA6 FindFirstFileExW,FindClose,FindNextFileW, 9_2_00A31BA6
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A31D31 FindFirstFileExA, 9_2_00A31D31
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A31D5C FindFirstFileExW, 9_2_00A31D5C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00404A29 FindFirstFileExW, 14_2_00404A29
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A318BD FindFirstFileExA, 14_2_00A318BD
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A31BA6 FindFirstFileExW,FindClose,FindNextFileW, 14_2_00A31BA6
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A31D31 FindFirstFileExA, 14_2_00A31D31
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 14_2_00A31D5C FindFirstFileExW, 14_2_00A31D5C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004161B0 memset,GetSystemInfo, 8_2_004161B0
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760654020.000000001F730000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760654020.000000001F730000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760654020.000000001F730000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WindowsUpdate.exe, 0000000E.00000002.723602799.0000000001715000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760654020.000000001F730000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040446F
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 8_2_00408836
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00403C3D LoadLibraryA,GetProcAddress,strcpy, 7_2_00403C3D
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_004035F1 mov eax, dword ptr fs:[00000030h] 0_2_004035F1
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C27B00 mov eax, dword ptr fs:[00000030h] 0_2_00C27B00
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00BE90B9 mov eax, dword ptr fs:[00000030h] 0_2_00BE90B9
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00BE9077 mov eax, dword ptr fs:[00000030h] 0_2_00BE9077
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C064EE mov eax, dword ptr fs:[00000030h] 0_2_00C064EE
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C06492 mov eax, dword ptr fs:[00000030h] 0_2_00C06492
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C0644E mov eax, dword ptr fs:[00000030h] 0_2_00C0644E
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C0640A mov eax, dword ptr fs:[00000030h] 0_2_00C0640A
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C065EA mov eax, dword ptr fs:[00000030h] 0_2_00C065EA
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C065A5 mov eax, dword ptr fs:[00000030h] 0_2_00C065A5
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C06662 mov eax, dword ptr fs:[00000030h] 0_2_00C06662
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00C0662F mov eax, dword ptr fs:[00000030h] 0_2_00C0662F
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_004035F1 mov eax, dword ptr fs:[00000030h] 9_2_004035F1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 9_2_00A47B00 mov eax, dword ptr fs:[00000030h] 9_2_00A47B00