Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PO 2010029_pdf Quotation from Alibaba Ale.exe

Overview

General Information

Sample Name:PO 2010029_pdf Quotation from Alibaba Ale.exe
Analysis ID:341324
MD5:134bf4ddd2a72c5c396647f7037af0e1
SHA1:83407c5d075e7a8664bd50b1cfe6d82eb936342e
SHA256:76db811bca515b8c2f782394e24b4bbce6269211f6e8971b4897bdffd554303b
Tags:exe

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO 2010029_pdf Quotation from Alibaba Ale.exe (PID: 6184 cmdline: 'C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe' MD5: 134BF4DDD2A72C5C396647F7037AF0E1)
    • cmd.exe (PID: 1904 cmdline: 'C:\Windows\System32\cmd.exe' /c schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 1836 cmdline: schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml' MD5: 15FF7D8324231381BAD48A052F85DF04)
    • dw20.exe (PID: 4856 cmdline: dw20.exe -x -s 2532 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
    • vbc.exe (PID: 5896 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • vbc.exe (PID: 5556 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • WindowsUpdate.exe (PID: 6748 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 134BF4DDD2A72C5C396647F7037AF0E1)
  • WindowsUpdate.exe (PID: 6204 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 134BF4DDD2A72C5C396647F7037AF0E1)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x8cce3:$key: HawkEyeKeylogger
  • 0x8ef67:$salt: 099u787978786
  • 0x8d346:$string1: HawkEye_Keylogger
  • 0x8e199:$string1: HawkEye_Keylogger
  • 0x8eec7:$string1: HawkEye_Keylogger
  • 0x8d72f:$string2: holdermail.txt
  • 0x8d74f:$string2: holdermail.txt
  • 0x8d671:$string3: wallet.dat
  • 0x8d689:$string3: wallet.dat
  • 0x8d69f:$string3: wallet.dat
  • 0x8ea8b:$string4: Keylog Records
  • 0x8eda3:$string4: Keylog Records
  • 0x8efbf:$string5: do not script -->
  • 0x8cccb:$string6: \pidloc.txt
  • 0x8cd59:$string7: BSPLIT
  • 0x8cd69:$string7: BSPLIT
00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x8d39e:$hawkstr1: HawkEye Keylogger
        • 0x8e1df:$hawkstr1: HawkEye Keylogger
        • 0x8e50e:$hawkstr1: HawkEye Keylogger
        • 0x8e669:$hawkstr1: HawkEye Keylogger
        • 0x8e7cc:$hawkstr1: HawkEye Keylogger
        • 0x8ea63:$hawkstr1: HawkEye Keylogger
        • 0x8cf2c:$hawkstr2: Dear HawkEye Customers!
        • 0x8e561:$hawkstr2: Dear HawkEye Customers!
        • 0x8e6b8:$hawkstr2: Dear HawkEye Customers!
        • 0x8e81f:$hawkstr2: Dear HawkEye Customers!
        • 0x8d04d:$hawkstr3: HawkEye Logger Details:
        Click to see the 96 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x8cce3:$key: HawkEyeKeylogger
        • 0x8ef67:$salt: 099u787978786
        • 0x8d346:$string1: HawkEye_Keylogger
        • 0x8e199:$string1: HawkEye_Keylogger
        • 0x8eec7:$string1: HawkEye_Keylogger
        • 0x8d72f:$string2: holdermail.txt
        • 0x8d74f:$string2: holdermail.txt
        • 0x8d671:$string3: wallet.dat
        • 0x8d689:$string3: wallet.dat
        • 0x8d69f:$string3: wallet.dat
        • 0x8ea8b:$string4: Keylog Records
        • 0x8eda3:$string4: Keylog Records
        • 0x8efbf:$string5: do not script -->
        • 0x8cccb:$string6: \pidloc.txt
        • 0x8cd59:$string7: BSPLIT
        • 0x8cd69:$string7: BSPLIT
        0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x8d39e:$hawkstr1: HawkEye Keylogger
              • 0x8e1df:$hawkstr1: HawkEye Keylogger
              • 0x8e50e:$hawkstr1: HawkEye Keylogger
              • 0x8e669:$hawkstr1: HawkEye Keylogger
              • 0x8e7cc:$hawkstr1: HawkEye Keylogger
              • 0x8ea63:$hawkstr1: HawkEye Keylogger
              • 0x8cf2c:$hawkstr2: Dear HawkEye Customers!
              • 0x8e561:$hawkstr2: Dear HawkEye Customers!
              • 0x8e6b8:$hawkstr2: Dear HawkEye Customers!
              • 0x8e81f:$hawkstr2: Dear HawkEye Customers!
              • 0x8d04d:$hawkstr3: HawkEye Logger Details:
              Click to see the 110 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\folder\file.exeAvira: detection malicious, Label: HEUR/AGEN.1138127
              Found malware configurationShow sources
              Source: vbc.exe.5556.8.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\folder\file.exeReversingLabs: Detection: 39%
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 39%
              Multi AV Scanner detection for submitted fileShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeReversingLabs: Detection: 39%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\folder\file.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeJoe Sandbox ML: detected
              Source: 9.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 9.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 9.2.WindowsUpdate.exe.1ab70000.4.unpackAvira: Label: TR/Inject.vcoldi
              Source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpackAvira: Label: TR/Inject.vcoldi
              Source: 14.2.WindowsUpdate.exe.1620000.2.unpackAvira: Label: TR/Inject.vcoldi
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 14.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 14.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpackAvira: Label: TR/Inject.vcoldi
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 14.2.WindowsUpdate.exe.1dc90000.5.unpackAvira: Label: TR/Inject.vcoldi
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpackAvira: Label: TR/Inject.vcoldi

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Uses new MSVCR DllsShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Binary contains paths to debug symbolsShow sources
              Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: indows\System.pdbpdbtem.pdbUs source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: System.Runtime.Remoting.pdbmoting.pdbpdbing.pdbg\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: ~symbols\dll\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\dll\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb: source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760524179.000000001F6A7000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdbM source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760461215.000000001F666000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb_ source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp
              Source: Binary string: 1FoC:\Windows\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: 1FoC:\Windows\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe
              Source: Binary string: System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: rlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: mscorrc.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759251701.000000001DD20000.00000002.00000001.sdmp
              Source: Binary string: C:\Windows\System.pdbd source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbe.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: C:\Windows\mscorlib.pdb" source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: \??\C:\Windows\System.Runtime.Remoting.pdbsI source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.750712522.0000000000E36000.00000004.00000020.sdmp
              Source: Binary string: mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbA source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe
              Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe
              Source: Binary string: .pdbmscorlibsymbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\symbols\dll\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbH source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb{ source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: [autorun]
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: autorun.inf
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: autorun.inf
              Source: WindowsUpdate.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: autorun.inf
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C118BD FindFirstFileExA,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C11BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A318BD FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A31BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A31D31 FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A31D5C FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A318BD FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A31BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A31D31 FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A31D5C FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.687360804.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.687360804.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: WindowsUpdate.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000008.00000003.687221206.0000000000C0E000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000008.00000003.687221206.0000000000C0E000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: 35.37.15.0.in-addr.arpa
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: WindowsUpdate.exe, 00000009.00000002.711861825.000000001B201000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.727436272.000000001BB01000.00000004.00000001.sdmpString found in binary or memory: http://foo.com/fooT
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com03
              Source: WindowsUpdate.exeString found in binary or memory: http://whatismyipaddress.com/
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.669445042.000000001DF35000.00000004.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665880005.000000001DF18000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com6
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comce
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsig
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.666711909.000000001DF0D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.667302759.000000001DF0D000.00000004.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759400107.000000001DF00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.667302759.000000001DF0D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiond
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.663981836.000000001DF15000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665148269.000000001DF05000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%k
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665220746.000000001DF05000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.kL
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/8k~
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665220746.000000001DF05000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/pk
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/el-g
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fk
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665220746.000000001DF05000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/%k
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/.kL
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665333527.000000001DF08000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/yk?
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ok
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/pk
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665148269.000000001DF05000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/yk?
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.668830663.000000001DF35000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: WindowsUpdate.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: vbc.exe, 00000008.00000003.687221206.0000000000C0E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
              Source: WindowsUpdate.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6204, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 6184, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6748, type: MEMORY
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1620000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dc90000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1ab70000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d3a0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1620000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, Form1.cs.Net Code: HookKeyboard
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 14.2.WindowsUpdate.exe.1620000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.WindowsUpdate.exe.1620000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 14.2.WindowsUpdate.exe.1dc90000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.WindowsUpdate.exe.1dc90000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 14.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 9.2.WindowsUpdate.exe.1ab70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 9.2.WindowsUpdate.exe.1ab70000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 9.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 9.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 9.2.WindowsUpdate.exe.1d3a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 9.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 9.2.WindowsUpdate.exe.1d3a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 9.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 14.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 14.2.WindowsUpdate.exe.1620000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.WindowsUpdate.exe.1620000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: initial sampleStatic PE information: Filename: PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_0040A2A5
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C240F1
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C221EF
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00BF012A
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C2526F
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00BFA20A
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00BF0352
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C245ED
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00BF05C2
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C1975E
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00BFD8C0
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00BF0823
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00BE3998
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00BEFA9C
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00BF0A84
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C24A05
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C1ABCC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404DDB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040BD8A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404E4C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404EBD
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404F4E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404419
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404516
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00413538
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004145A1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040E639
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004337AF
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004399B1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043DAE7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00405CF6
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00403F85
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00411F99
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_0040A2A5
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A440F1
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A421EF
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A1012A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A1A20A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A4526F
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A10352
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A445ED
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A105C2
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A3975E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A1D8C0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A10823
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A03998
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A10A84
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A0FA9C
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A44A05
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A3ABCC
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A0FCC4
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A3DDAA
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A1DD60
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A1AEE0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A0FEF7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A3DED7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A44E3A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A1CFA0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_0040A2A5
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A440F1
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A421EF
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A1012A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A1A20A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A4526F
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A10352
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A445ED
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A105C2
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A3975E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A1D8C0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A10823
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A03998
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A10A84
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A0FA9C
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A44A05
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A3ABCC
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A0FCC4
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A3DDAA
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A1DD60
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A1AEE0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A0FEF7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A3DED7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A44E3A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A1CFA0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_1B472478
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: String function: 00BE1BB0 appears 67 times
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: String function: 00C0894D appears 48 times
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: String function: 00C063DC appears 37 times
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: String function: 00BE1080 appears 69 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00A02AC1 appears 36 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00A263DC appears 92 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00401ED0 appears 46 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 0040569E appears 36 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00A01080 appears 192 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00A0302C appears 44 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00A01BB0 appears 165 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00A2894D appears 108 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00A09F33 appears 46 times
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2532
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: file.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WindowsUpdate.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: OriginalFilename vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: OriginalFileName vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.758970609.000000001DA62000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755045062.000000001B1A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759251701.000000001DD20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755169901.000000001B290000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755169901.000000001B290000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760654020.000000001F730000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection loaded: security.dll
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: security.dll
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: security.dll
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 14.2.WindowsUpdate.exe.1620000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 14.2.WindowsUpdate.exe.1620000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 9.2.WindowsUpdate.exe.a00000.1.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 14.2.WindowsUpdate.exe.a00000.1.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 0.0.PO 2010029_pdf Quotation from Alibaba Ale.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 14.0.WindowsUpdate.exe.a00000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 9.0.WindowsUpdate.exe.a00000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 14.2.WindowsUpdate.exe.1dc90000.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 14.2.WindowsUpdate.exe.1dc90000.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 14.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 14.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 9.2.WindowsUpdate.exe.1ab70000.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 9.2.WindowsUpdate.exe.1ab70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 9.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 9.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.be0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 9.2.WindowsUpdate.exe.1d3a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 9.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 9.2.WindowsUpdate.exe.1d3a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 9.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 14.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 14.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 14.2.WindowsUpdate.exe.1620000.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 14.2.WindowsUpdate.exe.1620000.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.csBase64 encoded string: 'ugaRi50M9oh3clpYn7+YE9uvSwepeMxgQYfH/J9PFXCSaU0npmgxrHOyHmnIJwUYxxz07aqO6YrRDYhFRffLnQ9jsWPCji3hDJrDPbYtoe4='
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.csBase64 encoded string: 'ugaRi50M9oh3clpYn7+YE9uvSwepeMxgQYfH/J9PFXCSaU0npmgxrHOyHmnIJwUYxxz07aqO6YrRDYhFRffLnQ9jsWPCji3hDJrDPbYtoe4='
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, Form1.csBase64 encoded string: 'ugaRi50M9oh3clpYn7+YE9uvSwepeMxgQYfH/J9PFXCSaU0npmgxrHOyHmnIJwUYxxz07aqO6YrRDYhFRffLnQ9jsWPCji3hDJrDPbYtoe4='
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@14/11@3/4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6116:120:WilError_01
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: C:\Users\user\AppData\Local\Temp\folderJump to behavior
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: WindowsUpdate.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: WindowsUpdate.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.687360804.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: WindowsUpdate.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: WindowsUpdate.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: WindowsUpdate.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: WindowsUpdate.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeReversingLabs: Detection: 39%
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile read: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe 'C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2532
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml'
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2532
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml'
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic file information: File size 1086464 > 1048576
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: indows\System.pdbpdbtem.pdbUs source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: System.Runtime.Remoting.pdbmoting.pdbpdbing.pdbg\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: ~symbols\dll\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\dll\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb: source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760524179.000000001F6A7000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdbM source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760461215.000000001F666000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb_ source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp
              Source: Binary string: 1FoC:\Windows\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: 1FoC:\Windows\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe
              Source: Binary string: System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: rlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: mscorrc.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759251701.000000001DD20000.00000002.00000001.sdmp
              Source: Binary string: C:\Windows\System.pdbd source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbe.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: C:\Windows\mscorlib.pdb" source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: \??\C:\Windows\System.Runtime.Remoting.pdbsI source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.750712522.0000000000E36000.00000004.00000020.sdmp
              Source: Binary string: mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbA source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe
              Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe
              Source: Binary string: .pdbmscorlibsymbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\symbols\dll\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbH source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb{ source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401F16 push ecx; ret
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00BE1BF6 push ecx; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411879 push ecx; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004118A0 push eax; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004118A0 push eax; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442871 push ecx; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442A90 push eax; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442A90 push eax; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00446E54 push eax; ret
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00401F16 push ecx; ret
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A01BF6 push ecx; ret
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00401F16 push ecx; ret
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A01BF6 push ecx; ret
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: \po 2010029_pdf quotation from alibaba ale.exe
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: \po 2010029_pdf quotation from alibaba ale.exe
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: \po 2010029_pdf quotation from alibaba ale.exe
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: \po 2010029_pdf quotation from alibaba ale.exe
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: C:\Users\user\AppData\Local\Temp\folder\file.exeJump to dropped file
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml'
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (5001).png
              Changes the view of files in windows explorer (hidden files and folders)Show sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeThread delayed: delay time: 1500000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeThread delayed: delay time: 180000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\folder\file.exeJump to dropped file
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 1556Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 5724Thread sleep time: -120000s >= -30000s
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 3436Thread sleep time: -140000s >= -30000s
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 612Thread sleep time: -1500000s >= -30000s
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6396Thread sleep time: -180000s >= -30000s
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6928Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6928Thread sleep time: -1500000s >= -30000s
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6928Thread sleep time: -100000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6944Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6912Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C118BD FindFirstFileExA,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C11BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A318BD FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A31BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A31D31 FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A31D5C FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A318BD FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A31BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A31D31 FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A31D5C FindFirstFileExW,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004161B0 memset,GetSystemInfo,
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760654020.000000001F730000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760654020.000000001F730000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760654020.000000001F730000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: WindowsUpdate.exe, 0000000E.00000002.723602799.0000000001715000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760654020.000000001F730000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_004035F1 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C27B00 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00BE90B9 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00BE9077 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C064EE mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C06492 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C0644E mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C0640A mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C065EA mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C065A5 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C06662 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C0662F mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_004035F1 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A47B00 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A090B9 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A09077 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A26492 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A264EE mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A2640A mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A2644E mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A265A5 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A265EA mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A2662F mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A26662 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A47F90 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_004035F1 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A47B00 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A090B9 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A09077 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A26492 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A264EE mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A2640A mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A2644E mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A265A5 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A265EA mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A2662F mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A26662 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A47F90 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_004067FE GetProcessHeap,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401E1D SetUnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00BE1AF5 SetUnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C066D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00BE1963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00401E1D SetUnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A01AF5 SetUnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A266D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A01963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A01DDE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00401E1D SetUnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A01AF5 SetUnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A266D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A01963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A01DDE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              .NET source code references suspicious native API functionsShow sources
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
              Sample uses process hollowing techniqueShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml'
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2532
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml'
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_0040208D cpuid
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C1E962 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00406278 GetVersionExA,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760524179.000000001F6A7000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.674536873.000000001F6A7000.00000004.00000001.sdmpBinary or memory string: Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

              Stealing of Sensitive Information:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6204, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 6184, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6748, type: MEMORY
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1620000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dc90000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1ab70000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d3a0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1620000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack, type: UNPACKEDPE
              Yara detected MailPassViewShow sources
              Source: Yara matchFile source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.683246916.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5896, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6204, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 6184, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6748, type: MEMORY
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1620000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dc90000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1ab70000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d3a0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1620000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack, type: UNPACKEDPE
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
              Tries to steal Instant Messenger accounts or passwordsShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
              Tries to steal Mail credentials (via file registry)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
              Yara detected WebBrowserPassView password recovery toolShow sources
              Source: Yara matchFile source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.687360804.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5556, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6204, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 6184, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6748, type: MEMORY
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1620000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dc90000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1ab70000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d3a0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1620000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Detected HawkEye RatShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeString found in binary or memory: HawkEyeKeylogger
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEyeKeylogger
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
              Source: WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEyeKeylogger
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
              Source: WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6204, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 6184, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6748, type: MEMORY
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1620000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dc90000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dd20000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1ab70000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d440000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1d3a0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1dc90000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.WindowsUpdate.exe.1ab70000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.WindowsUpdate.exe.1620000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack, type: UNPACKEDPE
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_1D560B5E listen,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_1D560F6E bind,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_1D560F3B bind,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_1D560B20 CreateMutexW,listen,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_1B7A0B5E listen,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_1B7A1096 bind,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_1B7A1063 bind,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_1B7A0B20 CreateMutexW,listen,

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Replication Through Removable Media1Windows Management Instrumentation21DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery2Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsNative API11Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11Input Capture21Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsShared Modules1Scheduled Task/Job1Process Injection411Obfuscated Files or Information31Credentials in Registry2Account Discovery1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1Software Packing11Credentials In Files1File and Directory Discovery2Distributed Component Object ModelInput Capture21Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder1DLL Side-Loading1LSA SecretsSystem Information Discovery39SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion5DCSyncSecurity Software Discovery181Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection411Proc FilesystemVirtualization/Sandbox Evasion5Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowProcess Discovery3Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
              Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
              Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingSystem Network Configuration Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 341324 Sample: PO 2010029_pdf    Quotation... Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for dropped file 2->59 61 15 other signatures 2->61 7 PO 2010029_pdf    Quotation  from Alibaba Ale.exe 16 12 2->7         started        12 WindowsUpdate.exe 6 2->12         started        14 WindowsUpdate.exe 5 2->14         started        process3 dnsIp4 39 35.37.15.0.in-addr.arpa 7->39 41 outback.websitewelcome.com 192.185.81.127, 49733, 587 UNIFIEDLAYER-AS-1US United States 7->41 45 2 other IPs or domains 7->45 29 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 7->31 dropped 33 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\...\c7156b3839fe4b43a6263c28516d097c.xml, XML 7->35 dropped 63 Changes the view of files in windows explorer (hidden files and folders) 7->63 65 Writes to foreign memory regions 7->65 67 Allocates memory in foreign processes 7->67 73 3 other signatures 7->73 16 vbc.exe 1 7->16         started        19 vbc.exe 13 7->19         started        21 cmd.exe 1 7->21         started        23 dw20.exe 22 6 7->23         started        43 127.0.0.1 unknown unknown 12->43 37 C:\Users\user\...\WindowsUpdate.exe.log, ASCII 12->37 dropped 69 Multi AV Scanner detection for dropped file 12->69 71 Machine Learning detection for dropped file 12->71 file5 signatures6 process7 signatures8 47 Tries to steal Mail credentials (via file registry) 16->47 49 Tries to steal Instant Messenger accounts or passwords 16->49 51 Tries to steal Mail credentials (via file access) 16->51 53 Tries to harvest and steal browser information (history, passwords, etc) 19->53 25 conhost.exe 21->25         started        27 schtasks.exe 1 21->27         started        process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PO 2010029_pdf Quotation from Alibaba Ale.exe39%ReversingLabsWin32.Backdoor.NanoBot
              PO 2010029_pdf Quotation from Alibaba Ale.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\folder\file.exe100%AviraHEUR/AGEN.1138127
              C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\folder\file.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\folder\file.exe39%ReversingLabsWin32.Backdoor.NanoBot
              C:\Users\user\AppData\Roaming\WindowsUpdate.exe39%ReversingLabsWin32.Backdoor.NanoBot

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              14.2.WindowsUpdate.exe.a00000.1.unpack100%AviraHEUR/AGEN.1138127Download File
              9.0.WindowsUpdate.exe.a00000.0.unpack100%AviraHEUR/AGEN.1138127Download File
              9.2.WindowsUpdate.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              9.2.WindowsUpdate.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
              14.0.WindowsUpdate.exe.a00000.0.unpack100%AviraHEUR/AGEN.1138127Download File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
              9.2.WindowsUpdate.exe.1ab70000.4.unpack100%AviraTR/Inject.vcoldiDownload File
              9.2.WindowsUpdate.exe.1d3a0000.5.unpack100%AviraTR/Inject.vcoldiDownload File
              14.2.WindowsUpdate.exe.1620000.2.unpack100%AviraTR/Inject.vcoldiDownload File
              9.2.WindowsUpdate.exe.a00000.1.unpack100%AviraHEUR/AGEN.1138127Download File
              14.2.WindowsUpdate.exe.1dd20000.6.unpack100%AviraTR/AD.MExecute.lzracDownload File
              14.2.WindowsUpdate.exe.1dd20000.6.unpack100%AviraSPR/Tool.MailPassView.473Download File
              8.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
              0.0.PO 2010029_pdf Quotation from Alibaba Ale.exe.be0000.0.unpack100%AviraHEUR/AGEN.1138127Download File
              14.2.WindowsUpdate.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              14.2.WindowsUpdate.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
              9.2.WindowsUpdate.exe.1d440000.6.unpack100%AviraTR/AD.MExecute.lzracDownload File
              9.2.WindowsUpdate.exe.1d440000.6.unpack100%AviraSPR/Tool.MailPassView.473Download File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpack100%AviraTR/Inject.vcoldiDownload File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack100%AviraTR/AD.MExecute.lzracDownload File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpack100%AviraSPR/Tool.MailPassView.473Download File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.be0000.1.unpack100%AviraHEUR/AGEN.1138127Download File
              14.2.WindowsUpdate.exe.1dc90000.5.unpack100%AviraTR/Inject.vcoldiDownload File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpack100%AviraTR/Inject.vcoldiDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.carterandcone.comsig0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/.kL0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/yk?0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://foo.com/fooT0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/el-g0%Avira URL Cloudsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.carterandcone.com60%Avira URL Cloudsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/.kL0%Avira URL Cloudsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/%k0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/jp/%k0%Avira URL Cloudsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.fontbureau.comgrito0%URL Reputationsafe
              http://www.fontbureau.comgrito0%URL Reputationsafe
              http://www.fontbureau.comgrito0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/pk0%Avira URL Cloudsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/fk0%Avira URL Cloudsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              http://www.agfamonotype.0%URL Reputationsafe
              http://www.agfamonotype.0%URL Reputationsafe
              http://www.agfamonotype.0%URL Reputationsafe
              http://ocsp.sectigo.com030%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/ok0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/yk?0%Avira URL Cloudsafe
              http://www.fontbureau.comiond0%Avira URL Cloudsafe
              http://crl.m0%URL Reputationsafe
              http://crl.m0%URL Reputationsafe
              http://crl.m0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.carterandcone.comce0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/Y0/pk0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/Y0/8k~0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              outback.websitewelcome.com
              		192.185.81.127
              		truefalse
                		high
                whatismyipaddress.com
                		104.16.155.36
                		truefalse
                  		high
                  35.37.15.0.in-addr.arpa
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://whatismyipaddress.com/false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.carterandcone.comsigPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/.kLPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665220746.000000001DF05000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designersGPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/yk?PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665148269.000000001DF05000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/?PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bThePO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://foo.com/fooTWindowsUpdate.exe, 00000009.00000002.711861825.000000001B201000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.727436272.000000001BB01000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers?PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/el-gPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.com6PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designersPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                              		high
                              http://www.goodfont.co.krPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/cThePO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/.kLPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/%kPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665148269.000000001DF05000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/%kPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665220746.000000001DF05000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://whatismyipaddress.com/-PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpfalse
                                		high
                                http://www.galapagosdesign.com/DPleasePO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comgritoPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759400107.000000001DF00000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.ascendercorp.com/typedesigners.htmlPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665880005.000000001DF18000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://login.yahoo.com/config/loginWindowsUpdate.exefalse
                                  		high
                                  http://www.fonts.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/pkPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sandoll.co.krPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleasePO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.nirsoft.net/WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpfalse
                                      		high
                                      http://www.zhongyicts.com.cnPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.666711909.000000001DF0D000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/fkPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://sectigo.com/CPS0PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.agfamonotype.PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.669445042.000000001DF35000.00000004.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://ocsp.sectigo.com03PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/okPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comlPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/yk?PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665333527.000000001DF08000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comiondPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.667302759.000000001DF0D000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://crl.mPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.663981836.000000001DF15000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-user.htmlPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.667302759.000000001DF0D000.00000004.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.monotype.PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.668830663.000000001DF35000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.carterandcone.comcePO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/Y0/pkPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665220746.000000001DF05000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/Y0/8k~PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                192.185.81.127
                                                		unknownUnited States
                                                		46606UNIFIEDLAYER-AS-1USfalse
                                                104.16.155.36
                                                		unknownUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                Private

                                                IP
                                                192.168.2.1
                                                127.0.0.1

                                                General Information

                                                Joe Sandbox Version:31.0.0 Red Diamond
                                                Analysis ID:341324
                                                Start date:19.01.2021
                                                Start time:08:44:05
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 13m 17s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:25
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.phis.troj.spyw.evad.winEXE@14/11@3/4
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 15.3% (good quality ratio 14.4%)
                                                • Quality average: 78.4%
                                                • Quality standard deviation: 28.6%
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 40.88.32.150, 13.64.90.137, 51.104.144.132, 168.61.161.212, 92.122.213.247, 92.122.213.194, 2.20.142.210, 2.20.142.209, 52.254.96.93, 20.54.26.129, 52.147.198.201
                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, bn2eap.displaycatalog.md.mp.microsoft.com.akadns.net, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtCreateFile calls found.
                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                08:45:06API Interceptor36x Sleep call for process: PO 2010029_pdf Quotation from Alibaba Ale.exe modified
                                                08:45:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                08:45:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                08:45:41API Interceptor1x Sleep call for process: dw20.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                104.16.155.36hkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                INQUIRY.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                Prueba de pago.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                6JLHKYvboo.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                jSMd8npgmU.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                9vdouqRTh3.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                fyxC4Hgs3s.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                yk94P18VKp.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                oLHQIQAI3N.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                WuGzF7ZJ7P.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                NXmokFkh3R.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                qiGQsdRM57.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                NSSPH41vE5.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                2v7Vtqfo81.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                whatismyipaddress.comhkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                B6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                JkhR5oeRHA.exeGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                INQUIRY.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                Prueba de pago.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                879mgDuqEE.jarGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                remittance1111.jarGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                879mgDuqEE.jarGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                remittance1111.jarGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                https://my-alliances.co.uk/Get hashmaliciousBrowse
                                                • 66.171.248.178
                                                c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                6JLHKYvboo.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                jSMd8npgmU.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                khJdbt0clZ.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                ZMOKwXqVHO.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                5Av43Q5IXd.exeGet hashmaliciousBrowse
                                                • 104.16.154.36

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                CLOUDFLARENETUSpayment _doc.exeGet hashmaliciousBrowse
                                                • 104.21.89.194
                                                Statement Of Account.exeGet hashmaliciousBrowse
                                                • 172.67.170.231
                                                CQcT4Ph03Z.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                ucPCgX1NlH.exeGet hashmaliciousBrowse
                                                • 66.235.200.5
                                                C5XbwziaXz.exeGet hashmaliciousBrowse
                                                • 104.21.64.146
                                                9gVzvJI8zq.exeGet hashmaliciousBrowse
                                                • 172.67.160.246
                                                ugGgUEbqio.exeGet hashmaliciousBrowse
                                                • 172.67.160.246
                                                pY5XEdTwX7.exeGet hashmaliciousBrowse
                                                • 104.21.72.98
                                                Zz92XfcijKVXcny.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                IMG_53771.pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Shipping document.xlsxGet hashmaliciousBrowse
                                                • 172.67.177.177
                                                FedEx 772584418730.docGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                TJyVCvjegT.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                SHEXD210117S_ShippingDocument_DkD.xlsxGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                IMG_53771.docGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                Pre-order.xlsxGet hashmaliciousBrowse
                                                • 172.67.154.246
                                                RFQ TK011821.docGet hashmaliciousBrowse
                                                • 162.159.135.233
                                                Frq5Dvse34.exeGet hashmaliciousBrowse
                                                • 162.159.133.233
                                                PC51Jij3Pq.exeGet hashmaliciousBrowse
                                                • 162.159.133.233
                                                SecuriteInfo.com.Generic.mg.fb5363e0cae04979.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                UNIFIEDLAYER-AS-1USStatement for T10495.jarGet hashmaliciousBrowse
                                                • 108.167.143.113
                                                xPkiX7vwNVqQf9I.exeGet hashmaliciousBrowse
                                                • 108.179.230.69
                                                CQcT4Ph03Z.exeGet hashmaliciousBrowse
                                                • 192.185.4.24
                                                yxYmHtT7uT.exeGet hashmaliciousBrowse
                                                • 162.241.60.214
                                                TAg7hqAEaq.exeGet hashmaliciousBrowse
                                                • 108.167.140.161
                                                9gVzvJI8zq.exeGet hashmaliciousBrowse
                                                • 162.241.217.138
                                                Y75vU558UfuGbzM.exeGet hashmaliciousBrowse
                                                • 192.185.35.70
                                                Materials.exeGet hashmaliciousBrowse
                                                • 192.185.34.202
                                                orden pdf.exeGet hashmaliciousBrowse
                                                • 192.185.5.166
                                                dg9PJ79P3G.exeGet hashmaliciousBrowse
                                                • 192.185.163.193
                                                180120211200.exeGet hashmaliciousBrowse
                                                • 50.87.193.205
                                                5YfNeXk1f0wrxXm.exeGet hashmaliciousBrowse
                                                • 192.185.35.243
                                                YUAN PAYMENT.exeGet hashmaliciousBrowse
                                                • 162.214.103.133
                                                TEC20201601.exeGet hashmaliciousBrowse
                                                • 162.214.103.133
                                                Materials.exeGet hashmaliciousBrowse
                                                • 74.220.199.6
                                                file_012021_5_2279069.docGet hashmaliciousBrowse
                                                • 50.116.93.238
                                                Payment Advice.xlsxGet hashmaliciousBrowse
                                                • 50.87.153.159
                                                Payment Advice.xlsxGet hashmaliciousBrowse
                                                • 50.87.153.159
                                                Packing list #U2022 Invoice #U2022 Country of origin.exeGet hashmaliciousBrowse
                                                • 50.87.196.173
                                                Draft FCR-HBL.exeGet hashmaliciousBrowse
                                                • 192.185.0.218

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_I3UYUDMLOPVYGRAZ_ff5d37c08782585231182226e219de1bf556ec8_00000000_12aa1aeb\Report.wer
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):18526
                                                Entropy (8bit):3.7595009509515065
                                                Encrypted:false
                                                SSDEEP:192:+U+vhLWMBVm03jjy3qhb91t4No8XN1Dzv2Hk0K+Z5JNKU/u7s5S274It0bj:+hLNVjADfv1eKU/u7s5X4ItU
                                                MD5:E0234DDB8DCD0049C26D45270E302670
                                                SHA1:8B38E799954AB55705B1C9FA05224A68462D1484
                                                SHA-256:E38FEDC1A75B6FE1189FA7A986D9D349202208C8AE591BD99C8DFD279095FD34
                                                SHA-512:82FBAF04F07502D9967F7C3E049E0FD4D3B4476CF5B383BC2F5A5468522C4A5583F5E65757D9FAD230A0CCB71E822E040A8A0194BBC454F81DF2236601DD21D2
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.5.1.5.9.0.7.1.9.8.6.3.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.5.5.1.5.9.0.8.7.4.5.5.2.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.1.6.a.a.b.b.3.-.0.0.7.b.-.4.2.6.4.-.a.d.e.3.-.0.a.8.d.f.0.d.d.4.b.4.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.2.8.-.0.0.0.1.-.0.0.1.b.-.c.f.4.4.-.5.0.f.c.3.6.e.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.c.5.e.b.d.5.8.d.1.9.3.3.b.e.2.9.b.8.8.7.2.0.2.0.b.9.e.c.0.5.8.0.0.0.0.f.f.f.f.!.0.0.0.0.8.3.4.0.7.c.5.d.0.7.5.e.7.a.8.6.6.4.b.d.5.0.b.1.c.f.e.6.d.8.2.e.b.9.3.6.3.4.2.e.!.P.O. .2.0.1.0.0.2.9._.p.d.f. . . . .Q.u.o.t.a.t.i.o.n. . .f.r.o.m. .A.l.i.b.a.b.a. .A.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.1././.1.8.:.2.0.:.1.6.:.5.3.!.0.!.P.O. .2.0.1.0.0.2.9._.p.d.f. . . . .Q.u.o.t.a.t.i.o.n. . .f.r.o.m.
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9679.tmp.WERInternalMetadata.xml
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):7790
                                                Entropy (8bit):3.7103725108859273
                                                Encrypted:false
                                                SSDEEP:192:Rrl7r3GLNiNCG6fnanWojq6YrVSUyFxDWgmfZ4X1Sb+p1nbpE1fpNjm:RrlsNiR6au6YJSUyFkgmfGX1S+nbpufm
                                                MD5:4663DEC090868E16DA7F5BCA796C9E56
                                                SHA1:CCD5A6093B43EBECDBBE73CA9846324728F1060F
                                                SHA-256:161D1F741C110B43374FE458DC88E13DBC776FBF264B8119304EEA6D3A7F364C
                                                SHA-512:C67FF00C65C6F75B3A5122DC111F0D7BDD4385EE2970F0624A89B0F5042D91017EFB41BD2111896DCDAF82F1390ADCDD4A0FA7589ED47B46A35B2E8FD7C1479D
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.8.4.<./.P.i.d.>.......
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9745.tmp.xml
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4727
                                                Entropy (8bit):4.524625212788249
                                                Encrypted:false
                                                SSDEEP:48:cvIwSD8zs3JgtWI9qPkWSC8BIa8fm8M4JFKgxFt+q8v7pxz6z4d:uITfZtP9SNmvJFKCK9J04d
                                                MD5:09230AF117101F309F1D2A9272EC4DD6
                                                SHA1:49371E06E109D22646A4A01042B3A6151AE2642E
                                                SHA-256:B88430E87A0873ED3F7677059408CE9AF0B3543E3186BC9D0E61FE5A64841C04
                                                SHA-512:5BD3418B89D7F41D7D39DBA4AD76F6B5440A04C8E8C4EFF30695A76007DC4694222B7303DADD1E2B679F3BD3D5A63CE703C80ECDF4E5F9BC7D2F2159020CACD6
                                                Malicious:false
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="823255" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsUpdate.exe.log
                                                Process:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):916
                                                Entropy (8bit):5.282390836641403
                                                Encrypted:false
                                                SSDEEP:24:MLF20NaL3z2p29hJ5g522rW2xAi3AP26K95rKoO2+g2+:MwLLD2Y9h3go2rxxAcAO6ox+g2+
                                                MD5:5AD8E7ABEADADAC4CE06FF693476581A
                                                SHA1:81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E
                                                SHA-256:BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
                                                SHA-512:7793E78E84AD36CE65B5B1C015364E340FB9110FAF199BC0234108CE9BCB1AEDACBD25C6A012AC99740E08BEA5E5C373A88E553E47016304D8AE6AEEAB58EBFF
                                                Malicious:true
                                                Reputation:moderate, very likely benign file
                                                Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..
                                                C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml
                                                Process:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File Type:XML 1.0 document, ASCII text
                                                Category:dropped
                                                Size (bytes):1287
                                                Entropy (8bit):5.212090243419571
                                                Encrypted:false
                                                SSDEEP:24:2do4+S8TcqdQrsgFwvpIrovlgU3ODOiIQRvh7hwZgvw43aVdQfL3Tbn:c+XBQYpIrovl33ODOiLdKZgfo6L3/
                                                MD5:1F2AB60BB7267870886B92CD09BDD40F
                                                SHA1:B1FEB45A9F57DA9201C09C6BDF68A85F6B3B357C
                                                SHA-256:954E70C360613EE7521DC580232C08E22897A247F0EE9D8F1F137D5D44DEDAD6
                                                SHA-512:0C09CC3F8AA004537497320CBCEE4843141955268A797114E668FBB329AD332CAD378C0422048DEB3676CCA04FE4D475644DDB58F0C7193E84C4AD9866EF38EB
                                                Malicious:true
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version = "1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.<RegistrationInfo>.<Date>2015-09-27T14:27:44.8929027</Date > .<Author>992547\user</Author>.</RegistrationInfo>.<Triggers>.<LogonTrigger>.<Enabled>true</Enabled>.<UserId>992547\user</UserId>.</LogonTrigger>.<RegistrationTrigger>.<Enabled>false</Enabled>.</RegistrationTrigger>.</Triggers>.<Principals>.<Principal id="Author">.<UserId>992547\user</UserId>.<LogonType>InteractiveToken</LogonType>.<RunLevel>LeastPrivilege</RunLevel>.</Principal>.</Principals>.<Settings>.<MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.<AllowHardTerminate>false</AllowHardTerminate>.<StartWhenAvailable>true</StartWhenAvailable>.<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.<IdleSettings>.<StopOnIdleEnd>true</StopOnIdleEnd>.<RestartOnIdle>false</RestartOnIdle>.</IdleSettings>.<AllowStartOnDemand>true</AllowStartOnDemand>.<Enabled>true</Enabled>.<Hidden>fals
                                                C:\Users\user\AppData\Local\Temp\folder\file.exe
                                                Process:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):1086474
                                                Entropy (8bit):7.578465944506682
                                                Encrypted:false
                                                SSDEEP:24576:S8W4T17vgKzzHA3VJTMrxwpO7GAa18Xj:SU7JAlJTUme
                                                MD5:61854EA00B96528123E9A176BC0377BF
                                                SHA1:211FAF0D06BC47276DB738914C4D9B03DB1CA0F5
                                                SHA-256:28615FFA1BD821066848828F83A436587BD4FF8DA5F206B1EFAB09988FDA27C7
                                                SHA-512:9211791D4911B6619AE2EE69904013902E38E35A6852FDE1D667CD4D941228A289C3AD25A556B4CC78E7CCC65725E9972E8F5682504D9DACB4EA4C579173281F
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 39%
                                                Reputation:low
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8...|..|..|.....v............n..._#......o....a.....n.....m..|.......}.....}....}..Rich|..........PE..L......`..........................................@.......................................@..................................F.......... ....................`..<,...6..............................06..@...............`............................text...:........................... ..`.rdata..............................@..@.data...4....`.......B..............@....gfids..t............N..............@..@.rsrc... ............P..............@..@.reloc..<,...`......................@..B................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                Category:dropped
                                                Size (bytes):2
                                                Entropy (8bit):1.0
                                                Encrypted:false
                                                SSDEEP:3:Qn:Qn
                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview: ..
                                                C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                Process:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):1086464
                                                Entropy (8bit):7.578501414918202
                                                Encrypted:false
                                                SSDEEP:24576:S8W4T17vgKzzHA3VJTMrxwpO7GAa18XjX:SU7JAlJTUmej
                                                MD5:134BF4DDD2A72C5C396647F7037AF0E1
                                                SHA1:83407C5D075E7A8664BD50B1CFE6D82EB936342E
                                                SHA-256:76DB811BCA515B8C2F782394E24B4BBCE6269211F6E8971B4897BDFFD554303B
                                                SHA-512:E010172192C7A0EE2DB793B01D0C90644DF0AEDA6A475598B42C6CE8ABC67195C3A807D529CFA6755905FA1ADCB25FC2EB80B4FCC7DAB0D42380B81D5726C712
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 39%
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8...|..|..|.....v............n..._#......o....a.....n.....m..|.......}.....}....}..Rich|..........PE..L......`..........................................@.......................................@..................................F.......... ....................`..<,...6..............................06..@...............`............................text...:........................... ..`.rdata..............................@..@.data...4....`.......B..............@....gfids..t............N..............@..@.rsrc... ............P..............@..@.reloc..<,...`......................@..B................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier
                                                Process:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview: [ZoneTransfer]....ZoneId=0
                                                C:\Users\user\AppData\Roaming\pid.txt
                                                Process:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):4
                                                Entropy (8bit):2.0
                                                Encrypted:false
                                                SSDEEP:3:wRn:wR
                                                MD5:08425B881BCDE94A383CD258CEA331BE
                                                SHA1:035190E86082BBA15DAF822EA166639C626F9578
                                                SHA-256:C89351F5FEE4406D095BB248EDAF8A2C01BD57BC6CB4DCF45EA28EB2B4EF1A51
                                                SHA-512:8ACA3AF257A30AB72FFFD2FCE1CDAA55B64951E8DF1054BD21A2126FE22D61D073424A6A1F672B56AC2FBEEFBE89F362EE2DF747A19C1E9BE7488B283CBB1FA2
                                                Malicious:false
                                                Preview: 6184
                                                C:\Users\user\AppData\Roaming\pidloc.txt
                                                Process:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):72
                                                Entropy (8bit):4.726683293133492
                                                Encrypted:false
                                                SSDEEP:3:oNt+WfW1qOL/kiRMQFLTzxl0C:oNwvgOLHXLvxl0C
                                                MD5:82A4BD3798C0A5581741E25F32F233E7
                                                SHA1:73554D6548669CE4F8594A02863C6F4C36607D3B
                                                SHA-256:095CB76FECF1095B4D4AB724B0E29039E00BA8388CCCA9899D0AB559C7167718
                                                SHA-512:D578CB85F5DDB495AD0E420E8038E376F696E7556B731479284852549FA1987E8BBF06E10BBCF96C1733FE9E3F2C7C1E179473074B9A91E10F00BE04B80E87F6
                                                Malicious:false
                                                Preview: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.578501414918202
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File size:1086464
                                                MD5:134bf4ddd2a72c5c396647f7037af0e1
                                                SHA1:83407c5d075e7a8664bd50b1cfe6d82eb936342e
                                                SHA256:76db811bca515b8c2f782394e24b4bbce6269211f6e8971b4897bdffd554303b
                                                SHA512:e010172192c7a0ee2db793b01d0c90644df0aeda6a475598b42c6ce8abc67195c3a807d529cfa6755905fa1adcb25fc2eb80b4fcc7dab0d42380b81d5726c712
                                                SSDEEP:24576:S8W4T17vgKzzHA3VJTMrxwpO7GAa18XjX:SU7JAlJTUmej
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8...|...|...|.......v...............n...._#.........o.......a.......n.......m...|...........}.......}.......}...Rich|..........

                                                File Icon

                                                Icon Hash:6eecccccd6d2f2f2

                                                Static PE Info

                                                General

                                                Entrypoint:0x401308
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x6005ECB5 [Mon Jan 18 20:16:53 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:6
                                                OS Version Minor:0
                                                File Version Major:6
                                                File Version Minor:0
                                                Subsystem Version Major:6
                                                Subsystem Version Minor:0
                                                Import Hash:3f85ebb67bac58f72de974a91d40889a

                                                Entrypoint Preview

                                                Instruction
                                                call 00007F8624A94F08h
                                                jmp 00007F8624A949C5h
                                                push 00000014h
                                                push 00453B58h
                                                call 00007F8624A95257h
                                                push 00000001h
                                                call 00007F8624A94CD0h
                                                pop ecx
                                                test al, al
                                                jne 00007F8624A949C9h
                                                push 00000007h
                                                call 00007F8624A94FF7h
                                                xor bl, bl
                                                mov byte ptr [ebp-19h], bl
                                                and dword ptr [ebp-04h], 00000000h
                                                call 00007F8624A94BB9h
                                                mov byte ptr [ebp-24h], al
                                                mov eax, dword ptr [00456A80h]
                                                xor ecx, ecx
                                                inc ecx
                                                cmp eax, ecx
                                                je 00007F8624A9499Eh
                                                test eax, eax
                                                jne 00007F8624A94A0Bh
                                                mov dword ptr [00456A80h], ecx
                                                push 0044B290h
                                                push 0044B270h
                                                call 00007F8624AB5E2Fh
                                                pop ecx
                                                pop ecx
                                                test eax, eax
                                                je 00007F8624A949D3h
                                                mov dword ptr [ebp-04h], FFFFFFFEh
                                                mov eax, 000000FFh
                                                jmp 00007F8624A94ABBh
                                                push 0044B26Ch
                                                push 0044B264h
                                                call 00007F8624AB5DADh
                                                pop ecx
                                                pop ecx
                                                mov dword ptr [00456A80h], 00000002h
                                                jmp 00007F8624A949C7h
                                                mov bl, cl
                                                mov byte ptr [ebp-19h], bl
                                                push dword ptr [ebp-24h]
                                                call 00007F8624A94DA7h
                                                pop ecx
                                                call 00007F8624A94F6Eh
                                                mov esi, eax
                                                xor edi, edi
                                                cmp dword ptr [esi], edi
                                                je 00007F8624A949DCh
                                                push esi
                                                call 00007F8624A94D09h
                                                pop ecx
                                                test al, al
                                                je 00007F8624A949D1h
                                                push edi
                                                push 00000002h
                                                push edi
                                                mov esi, dword ptr [esi]
                                                mov ecx, esi
                                                call 00007F8624A95197h
                                                call esi

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x546dc0xb4.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x590000x1cd20.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x760000x2c3c.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x536100x1c.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x536300x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x4b0000x260.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x4993a0x49a00False0.472012945671data6.61525137664IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rdata0x4b0000xa3aa0xa400False0.45107660061SysEx File - Mesosha5.24006298806IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x560000x1f340xc00False0.171549479167DOS executable (block device driver \277DN)2.22955442271IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .gfids0x580000x1740x200False0.341796875data2.11448669888IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .rsrc0x590000x1cd200x1ce00False0.270706507035data5.15178641696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x760000x2c3c0x2e00False0.783797554348data6.6314339311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x591c00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x5b7680x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x5c8100x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                RT_ICON0x5cc780x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x60ea00x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                RT_RCDATA0x717180x4605dataEnglishUnited States
                                                RT_GROUP_ICON0x716c80x4cdataEnglishUnited States

                                                Imports

                                                DLLImport
                                                KERNEL32.dllHeap32Next, LoadResource, FreeLibrary, GetLongPathNameA, CancelIo, BuildCommDCBAndTimeoutsA, ExitThread, GlobalFindAtomW, GetStdHandle, HeapAlloc, GetProcessHeap, SetConsoleCursorPosition, DecodePointer, EncodePointer, SetEndOfFile, WriteConsoleW, HeapReAlloc, HeapSize, GetTimeZoneInformation, SetConsoleMode, ReadConsoleInputW, ReadConsoleInputA, PeekConsoleInputA, GetNumberOfConsoleInputEvents, CreateFileW, SetConsoleCtrlHandler, GetStringTypeW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, IsValidCodePage, FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindClose, MoveFileExW, GetFileAttributesExW, CreateProcessW, CreateProcessA, GetExitCodeProcess, WaitForSingleObject, GetCurrentThread, DeleteFileW, CloseHandle, GetConsoleCP, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, InterlockedPushEntrySList, InterlockedFlushSList, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, ReadFile, QueryPerformanceFrequency, MultiByteToWideChar, WriteFile, GetModuleFileNameW, GetModuleFileNameA, WideCharToMultiByte, GetACP, HeapFree, SetFilePointerEx, GetConsoleMode, ReadConsoleW, GetFileType, OutputDebugStringA, OutputDebugStringW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, RaiseException
                                                SHELL32.dllDragQueryFile, Shell_NotifyIconA
                                                MSWSOCK.dllEnumProtocolsA, GetNameByTypeW, GetServiceA, getnetbyname
                                                mscms.dllEnumColorProfilesW, UnregisterCMMA, CreateProfileFromLogColorSpaceW, GetPS2ColorRenderingIntent, EnumColorProfilesA
                                                msi.dll
                                                WS2_32.dllgethostbyaddr, WSCInstallNameSpace, WSALookupServiceNextA, WSARemoveServiceClass
                                                ODBC32.dllVRetrieveDriverErrorsRowCol
                                                USER32.dllGetDC, GrayStringW

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                01/19/21-08:45:05.791595TCP1201ATTACK-RESPONSES 403 Forbidden8049728104.16.155.36192.168.2.4

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 19, 2021 08:45:05.703176975 CET4972880192.168.2.4104.16.155.36
                                                Jan 19, 2021 08:45:05.743170023 CET8049728104.16.155.36192.168.2.4
                                                Jan 19, 2021 08:45:05.744184017 CET4972880192.168.2.4104.16.155.36
                                                Jan 19, 2021 08:45:05.745187044 CET4972880192.168.2.4104.16.155.36
                                                Jan 19, 2021 08:45:05.785067081 CET8049728104.16.155.36192.168.2.4
                                                Jan 19, 2021 08:45:05.791594982 CET8049728104.16.155.36192.168.2.4
                                                Jan 19, 2021 08:45:05.842942953 CET4972880192.168.2.4104.16.155.36
                                                Jan 19, 2021 08:45:21.424724102 CET4972880192.168.2.4104.16.155.36
                                                Jan 19, 2021 08:45:21.464867115 CET8049728104.16.155.36192.168.2.4
                                                Jan 19, 2021 08:45:21.464962959 CET4972880192.168.2.4104.16.155.36
                                                Jan 19, 2021 08:45:21.578411102 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:21.735934973 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:21.736063004 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:22.062592983 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:22.062877893 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:22.220532894 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:22.220808983 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:22.381907940 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:22.422467947 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:22.589298964 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:22.756324053 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:22.756364107 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:22.756386042 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:22.756402016 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:22.756438017 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:22.756489992 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:22.758081913 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:22.795583010 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:22.954921961 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:23.000612974 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:23.545238972 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:23.703063011 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:23.704037905 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:23.862426043 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:23.863172054 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:24.027528048 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:24.028479099 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:24.186069012 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:24.186877966 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:24.350517035 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:24.351160049 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:24.508589983 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:24.509702921 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:24.509939909 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:24.510049105 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:24.510185957 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:24.510272026 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:24.510390043 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:24.667107105 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:24.667150021 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:24.667190075 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:24.667313099 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:24.667359114 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:24.667511940 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:24.667937994 CET58749733192.185.81.127192.168.2.4
                                                Jan 19, 2021 08:45:24.719496965 CET49733587192.168.2.4192.185.81.127
                                                Jan 19, 2021 08:45:47.959813118 CET49733587192.168.2.4192.185.81.127

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 19, 2021 08:44:57.608969927 CET4971453192.168.2.48.8.8.8
                                                Jan 19, 2021 08:44:57.659780979 CET53497148.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:01.339618921 CET5802853192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:01.387502909 CET53580288.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:03.010580063 CET5309753192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:03.058511019 CET53530978.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:05.358360052 CET4925753192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:05.417759895 CET53492578.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:05.627551079 CET6238953192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:05.678183079 CET53623898.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:09.557236910 CET4991053192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:09.605043888 CET53499108.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:15.021019936 CET5585453192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:15.069343090 CET53558548.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:21.466996908 CET6454953192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:21.535942078 CET53645498.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:23.510432005 CET6315353192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:23.558269978 CET53631538.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:24.895240068 CET5299153192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:24.952120066 CET53529918.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:25.947082996 CET5370053192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:25.994999886 CET53537008.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:28.761084080 CET5172653192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:28.805495024 CET5679453192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:28.818804026 CET53517268.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:28.861666918 CET53567948.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:30.320110083 CET5653453192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:30.367938995 CET53565348.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:31.216104031 CET5662753192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:31.274847031 CET53566278.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:34.498747110 CET5662153192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:34.549451113 CET53566218.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:42.069797993 CET6311653192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:42.127693892 CET53631168.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:45.354842901 CET6407853192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:46.393657923 CET6407853192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:47.456290960 CET6407853192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:47.515433073 CET53640788.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:48.043181896 CET6480153192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:48.114690065 CET53648018.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:48.422040939 CET6172153192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:48.517926931 CET53617218.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:50.022212982 CET5125553192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:50.084577084 CET53512558.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:51.780360937 CET6152253192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:51.839528084 CET53615228.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:52.757272959 CET5233753192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:52.813530922 CET53523378.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:53.825488091 CET5504653192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:53.881767988 CET53550468.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:54.906923056 CET4961253192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:54.954777956 CET53496128.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:56.174213886 CET4928553192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:56.230391979 CET53492858.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:57.559679031 CET5060153192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:57.620481014 CET53506018.8.8.8192.168.2.4
                                                Jan 19, 2021 08:45:58.419656992 CET6087553192.168.2.48.8.8.8
                                                Jan 19, 2021 08:45:58.470292091 CET53608758.8.8.8192.168.2.4
                                                Jan 19, 2021 08:46:00.960335970 CET5644853192.168.2.48.8.8.8
                                                Jan 19, 2021 08:46:01.017916918 CET53564488.8.8.8192.168.2.4
                                                Jan 19, 2021 08:46:06.678324938 CET5917253192.168.2.48.8.8.8
                                                Jan 19, 2021 08:46:06.729052067 CET53591728.8.8.8192.168.2.4
                                                Jan 19, 2021 08:46:07.489012957 CET6242053192.168.2.48.8.8.8
                                                Jan 19, 2021 08:46:07.536947012 CET53624208.8.8.8192.168.2.4
                                                Jan 19, 2021 08:46:09.761728048 CET6057953192.168.2.48.8.8.8
                                                Jan 19, 2021 08:46:09.809808016 CET53605798.8.8.8192.168.2.4
                                                Jan 19, 2021 08:46:11.707901001 CET5018353192.168.2.48.8.8.8
                                                Jan 19, 2021 08:46:11.756141901 CET53501838.8.8.8192.168.2.4
                                                Jan 19, 2021 08:46:13.527553082 CET6153153192.168.2.48.8.8.8
                                                Jan 19, 2021 08:46:13.586816072 CET53615318.8.8.8192.168.2.4
                                                Jan 19, 2021 08:46:17.784444094 CET4922853192.168.2.48.8.8.8
                                                Jan 19, 2021 08:46:17.835203886 CET53492288.8.8.8192.168.2.4
                                                Jan 19, 2021 08:46:18.612889051 CET5979453192.168.2.48.8.8.8
                                                Jan 19, 2021 08:46:18.660845041 CET53597948.8.8.8192.168.2.4
                                                Jan 19, 2021 08:46:19.908061981 CET5591653192.168.2.48.8.8.8
                                                Jan 19, 2021 08:46:19.964338064 CET53559168.8.8.8192.168.2.4
                                                Jan 19, 2021 08:46:23.141788960 CET5275253192.168.2.48.8.8.8
                                                Jan 19, 2021 08:46:23.192622900 CET53527528.8.8.8192.168.2.4
                                                Jan 19, 2021 08:46:24.768100023 CET6054253192.168.2.48.8.8.8
                                                Jan 19, 2021 08:46:24.818840027 CET53605428.8.8.8192.168.2.4
                                                Jan 19, 2021 08:46:32.575464010 CET6068953192.168.2.48.8.8.8
                                                Jan 19, 2021 08:46:32.623409986 CET53606898.8.8.8192.168.2.4
                                                Jan 19, 2021 08:46:33.881192923 CET6420653192.168.2.48.8.8.8
                                                Jan 19, 2021 08:46:33.929156065 CET53642068.8.8.8192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Jan 19, 2021 08:45:05.358360052 CET192.168.2.48.8.8.80xb503Standard query (0)35.37.15.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                Jan 19, 2021 08:45:05.627551079 CET192.168.2.48.8.8.80x3a6Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                Jan 19, 2021 08:45:21.466996908 CET192.168.2.48.8.8.80x15ebStandard query (0)outback.websitewelcome.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Jan 19, 2021 08:45:05.417759895 CET8.8.8.8192.168.2.40xb503Name error (3)35.37.15.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                Jan 19, 2021 08:45:05.678183079 CET8.8.8.8192.168.2.40x3a6No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                Jan 19, 2021 08:45:05.678183079 CET8.8.8.8192.168.2.40x3a6No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                Jan 19, 2021 08:45:21.535942078 CET8.8.8.8192.168.2.40x15ebNo error (0)outback.websitewelcome.com192.185.81.127A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • whatismyipaddress.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.449728104.16.155.3680C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                TimestampkBytes transferredDirectionData
                                                Jan 19, 2021 08:45:05.745187044 CET555OUTGET / HTTP/1.1
                                                Host: whatismyipaddress.com
                                                Connection: Keep-Alive
                                                Jan 19, 2021 08:45:05.791594982 CET556INHTTP/1.1 403 Forbidden
                                                Date: Tue, 19 Jan 2021 07:45:05 GMT
                                                Content-Type: text/plain; charset=UTF-8
                                                Content-Length: 16
                                                Connection: keep-alive
                                                X-Frame-Options: SAMEORIGIN
                                                Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                Set-Cookie: __cfduid=de8a777b8e6b7c58309aef25df64241f71611042305; expires=Thu, 18-Feb-21 07:45:05 GMT; path=/; domain=.whatismyipaddress.com; HttpOnly; SameSite=Lax; Secure
                                                cf-request-id: 07bb33cef100009748d0248000000001
                                                Server: cloudflare
                                                CF-RAY: 613eef2b1e229748-FRA
                                                Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                Data Ascii: error code: 1020


                                                SMTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                Jan 19, 2021 08:45:22.062592983 CET58749733192.185.81.127192.168.2.4220-outback.websitewelcome.com ESMTP Exim 4.93 #2 Tue, 19 Jan 2021 01:45:21 -0600
                                                220-We do not authorize the use of this system to transport unsolicited,
                                                220 and/or bulk e-mail.
                                                Jan 19, 2021 08:45:22.062877893 CET49733587192.168.2.4192.185.81.127EHLO 992547
                                                Jan 19, 2021 08:45:22.220532894 CET58749733192.185.81.127192.168.2.4250-outback.websitewelcome.com Hello 992547 [84.17.52.74]
                                                250-SIZE 52428800
                                                250-8BITMIME
                                                250-PIPELINING
                                                250-AUTH PLAIN LOGIN
                                                250-STARTTLS
                                                250 HELP
                                                Jan 19, 2021 08:45:22.220808983 CET49733587192.168.2.4192.185.81.127STARTTLS
                                                Jan 19, 2021 08:45:22.381907940 CET58749733192.185.81.127192.168.2.4220 TLS go ahead

                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 6184 Parent PID: 5756

                                                General

                                                Start time:08:44:58
                                                Start date:19/01/2021
                                                Path:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe'
                                                Imagebase:0xbe0000
                                                File size:1086464 bytes
                                                MD5 hash:134BF4DDD2A72C5C396647F7037AF0E1
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.749770349.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Analysis Process: cmd.exe PID: 1904 Parent PID: 6184

                                                General

                                                Start time:08:44:59
                                                Start date:19/01/2021
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Windows\System32\cmd.exe' /c schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml'
                                                Imagebase:0x11d0000
                                                File size:232960 bytes
                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 6116 Parent PID: 1904

                                                General

                                                Start time:08:45:00
                                                Start date:19/01/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff724c50000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: schtasks.exe PID: 1836 Parent PID: 1904

                                                General

                                                Start time:08:45:00
                                                Start date:19/01/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml'
                                                Imagebase:0x1180000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: dw20.exe PID: 4856 Parent PID: 6184

                                                General

                                                Start time:08:45:06
                                                Start date:19/01/2021
                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                Wow64 process (32bit):true
                                                Commandline:dw20.exe -x -s 2532
                                                Imagebase:0x10000000
                                                File size:33936 bytes
                                                MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: vbc.exe PID: 5896 Parent PID: 6184

                                                General

                                                Start time:08:45:09
                                                Start date:19/01/2021
                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                Imagebase:0x400000
                                                File size:1171592 bytes
                                                MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.683246916.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                Reputation:high

                                                Analysis Process: vbc.exe PID: 5556 Parent PID: 6184

                                                General

                                                Start time:08:45:09
                                                Start date:19/01/2021
                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                Imagebase:0x400000
                                                File size:1171592 bytes
                                                MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.687360804.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                Reputation:high

                                                Analysis Process: WindowsUpdate.exe PID: 6748 Parent PID: 3424

                                                General

                                                Start time:08:45:19
                                                Start date:19/01/2021
                                                Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                                                Imagebase:0xa00000
                                                File size:1086464 bytes
                                                MD5 hash:134BF4DDD2A72C5C396647F7037AF0E1
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 39%, ReversingLabs
                                                Reputation:low

                                                Analysis Process: WindowsUpdate.exe PID: 6204 Parent PID: 3424

                                                General

                                                Start time:08:45:27
                                                Start date:19/01/2021
                                                Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                                                Imagebase:0xa00000
                                                File size:1086464 bytes
                                                MD5 hash:134BF4DDD2A72C5C396647F7037AF0E1
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Disassembly

                                                Code Analysis

                                                Reset < >