Loading ...

Play interactive tourEdit tour

Analysis Report PO 2010029_pdf Quotation from Alibaba Ale.exe

Overview

General Information

Sample Name:PO 2010029_pdf Quotation from Alibaba Ale.exe
Analysis ID:341324
MD5:134bf4ddd2a72c5c396647f7037af0e1
SHA1:83407c5d075e7a8664bd50b1cfe6d82eb936342e
SHA256:76db811bca515b8c2f782394e24b4bbce6269211f6e8971b4897bdffd554303b
Tags:exe

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO 2010029_pdf Quotation from Alibaba Ale.exe (PID: 6184 cmdline: 'C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe' MD5: 134BF4DDD2A72C5C396647F7037AF0E1)
    • cmd.exe (PID: 1904 cmdline: 'C:\Windows\System32\cmd.exe' /c schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 1836 cmdline: schtasks /Create /TN file /XML 'C:\Users\user\AppData\Local\Temp\c7156b3839fe4b43a6263c28516d097c.xml' MD5: 15FF7D8324231381BAD48A052F85DF04)
    • dw20.exe (PID: 4856 cmdline: dw20.exe -x -s 2532 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
    • vbc.exe (PID: 5896 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • vbc.exe (PID: 5556 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • WindowsUpdate.exe (PID: 6748 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 134BF4DDD2A72C5C396647F7037AF0E1)
  • WindowsUpdate.exe (PID: 6204 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 134BF4DDD2A72C5C396647F7037AF0E1)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x8cce3:$key: HawkEyeKeylogger
  • 0x8ef67:$salt: 099u787978786
  • 0x8d346:$string1: HawkEye_Keylogger
  • 0x8e199:$string1: HawkEye_Keylogger
  • 0x8eec7:$string1: HawkEye_Keylogger
  • 0x8d72f:$string2: holdermail.txt
  • 0x8d74f:$string2: holdermail.txt
  • 0x8d671:$string3: wallet.dat
  • 0x8d689:$string3: wallet.dat
  • 0x8d69f:$string3: wallet.dat
  • 0x8ea8b:$string4: Keylog Records
  • 0x8eda3:$string4: Keylog Records
  • 0x8efbf:$string5: do not script -->
  • 0x8cccb:$string6: \pidloc.txt
  • 0x8cd59:$string7: BSPLIT
  • 0x8cd69:$string7: BSPLIT
00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x8d39e:$hawkstr1: HawkEye Keylogger
        • 0x8e1df:$hawkstr1: HawkEye Keylogger
        • 0x8e50e:$hawkstr1: HawkEye Keylogger
        • 0x8e669:$hawkstr1: HawkEye Keylogger
        • 0x8e7cc:$hawkstr1: HawkEye Keylogger
        • 0x8ea63:$hawkstr1: HawkEye Keylogger
        • 0x8cf2c:$hawkstr2: Dear HawkEye Customers!
        • 0x8e561:$hawkstr2: Dear HawkEye Customers!
        • 0x8e6b8:$hawkstr2: Dear HawkEye Customers!
        • 0x8e81f:$hawkstr2: Dear HawkEye Customers!
        • 0x8d04d:$hawkstr3: HawkEye Logger Details:
        Click to see the 96 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x8cce3:$key: HawkEyeKeylogger
        • 0x8ef67:$salt: 099u787978786
        • 0x8d346:$string1: HawkEye_Keylogger
        • 0x8e199:$string1: HawkEye_Keylogger
        • 0x8eec7:$string1: HawkEye_Keylogger
        • 0x8d72f:$string2: holdermail.txt
        • 0x8d74f:$string2: holdermail.txt
        • 0x8d671:$string3: wallet.dat
        • 0x8d689:$string3: wallet.dat
        • 0x8d69f:$string3: wallet.dat
        • 0x8ea8b:$string4: Keylog Records
        • 0x8eda3:$string4: Keylog Records
        • 0x8efbf:$string5: do not script -->
        • 0x8cccb:$string6: \pidloc.txt
        • 0x8cd59:$string7: BSPLIT
        • 0x8cd69:$string7: BSPLIT
        0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.raw.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x8d39e:$hawkstr1: HawkEye Keylogger
              • 0x8e1df:$hawkstr1: HawkEye Keylogger
              • 0x8e50e:$hawkstr1: HawkEye Keylogger
              • 0x8e669:$hawkstr1: HawkEye Keylogger
              • 0x8e7cc:$hawkstr1: HawkEye Keylogger
              • 0x8ea63:$hawkstr1: HawkEye Keylogger
              • 0x8cf2c:$hawkstr2: Dear HawkEye Customers!
              • 0x8e561:$hawkstr2: Dear HawkEye Customers!
              • 0x8e6b8:$hawkstr2: Dear HawkEye Customers!
              • 0x8e81f:$hawkstr2: Dear HawkEye Customers!
              • 0x8d04d:$hawkstr3: HawkEye Logger Details:
              Click to see the 110 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\folder\file.exeAvira: detection malicious, Label: HEUR/AGEN.1138127
              Found malware configurationShow sources
              Source: vbc.exe.5556.8.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\folder\file.exeReversingLabs: Detection: 39%
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 39%
              Multi AV Scanner detection for submitted fileShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeReversingLabs: Detection: 39%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\folder\file.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeJoe Sandbox ML: detected
              Source: 9.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 9.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 9.2.WindowsUpdate.exe.1ab70000.4.unpackAvira: Label: TR/Inject.vcoldi
              Source: 9.2.WindowsUpdate.exe.1d3a0000.5.unpackAvira: Label: TR/Inject.vcoldi
              Source: 14.2.WindowsUpdate.exe.1620000.2.unpackAvira: Label: TR/Inject.vcoldi
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 14.2.WindowsUpdate.exe.1dd20000.6.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 14.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 14.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 9.2.WindowsUpdate.exe.1d440000.6.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d950000.5.unpackAvira: Label: TR/Inject.vcoldi
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1d9e0000.6.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 14.2.WindowsUpdate.exe.1dc90000.5.unpackAvira: Label: TR/Inject.vcoldi
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1b540000.4.unpackAvira: Label: TR/Inject.vcoldi

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Uses new MSVCR DllsShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Binary contains paths to debug symbolsShow sources
              Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: indows\System.pdbpdbtem.pdbUs source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: System.Runtime.Remoting.pdbmoting.pdbpdbing.pdbg\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: ~symbols\dll\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\dll\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb: source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760524179.000000001F6A7000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdbM source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760461215.000000001F666000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb_ source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp
              Source: Binary string: 1FoC:\Windows\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: 1FoC:\Windows\System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe
              Source: Binary string: System.Runtime.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762359130.00000000209EB000.00000004.00000010.sdmp
              Source: Binary string: rlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: mscorrc.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759251701.000000001DD20000.00000002.00000001.sdmp
              Source: Binary string: C:\Windows\System.pdbd source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbe.Remoting.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: C:\Windows\mscorlib.pdb" source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: \??\C:\Windows\System.Runtime.Remoting.pdbsI source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.750712522.0000000000E36000.00000004.00000020.sdmp
              Source: Binary string: mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbA source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe
              Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe
              Source: Binary string: .pdbmscorlibsymbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\symbols\dll\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbH source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb{ source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.762235371.00000000206CA000.00000004.00000010.sdmp
              Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755555343.000000001B7BC000.00000004.00000040.sdmp
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: [autorun]
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: autorun.inf
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: autorun.inf
              Source: WindowsUpdate.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: autorun.inf
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C118BD FindFirstFileExA,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00C11BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A318BD FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A31BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A31D31 FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_00A31D5C FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A318BD FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A31BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A31D31 FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 14_2_00A31D5C FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.687360804.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.687360804.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: WindowsUpdate.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000008.00000003.687221206.0000000000C0E000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000008.00000003.687221206.0000000000C0E000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: 35.37.15.0.in-addr.arpa
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: WindowsUpdate.exe, 00000009.00000002.711861825.000000001B201000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.727436272.000000001BB01000.00000004.00000001.sdmpString found in binary or memory: http://foo.com/fooT
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com03
              Source: WindowsUpdate.exeString found in binary or memory: http://whatismyipaddress.com/
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.669445042.000000001DF35000.00000004.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665880005.000000001DF18000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com6
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comce
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665025745.000000001DF0D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsig
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.666711909.000000001DF0D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.667302759.000000001DF0D000.00000004.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759400107.000000001DF00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.667302759.000000001DF0D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiond
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.663981836.000000001DF15000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665148269.000000001DF05000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%k
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665220746.000000001DF05000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.kL
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/8k~
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665220746.000000001DF05000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/pk
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/el-g
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fk
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665220746.000000001DF05000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/%k
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/.kL
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665333527.000000001DF08000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/yk?
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ok
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665824786.000000001DF09000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/pk
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.665148269.000000001DF05000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/yk?
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.668830663.000000001DF35000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: WindowsUpdate.exe, 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.759636394.000000001E130000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: WindowsUpdate.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.760610314.000000001F6D1000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: vbc.exe, 00000008.00000003.687221206.0000000000C0E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
              Source: WindowsUpdate.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000009.00000002.710741179.000000001AB70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.722985777.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.706683978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.758588141.000000001D9E2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712471863.000000001D442000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.755347738.000000001B540000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.756675173.000000001C7C1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.728700513.000000001DC90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.757447737.000000001D8CB000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.758041850.000000001D950000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.727723353.000000001CB01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712000579.000000001C201000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.755565035.000000001B7C1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.712159981.000000001D3A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.729263092.000000001DD22000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.706344481.000000001AD20000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.723425868.0000000001620000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara match