Analysis Report PO 2010029_pdf Quotation from Alibaba Ale.exe

Overview

General Information

Sample Name: PO 2010029_pdf Quotation from Alibaba Ale.exe
Analysis ID: 341532
MD5: eb59d99961c7636b4872e389da03cbc9
SHA1: 22d5fb0f076a0d945596b7938e72b6b5cae73674
SHA256: 4dd89aea31cfb64c8fa6b542c9ad002e4041ef5249f2072947df749e00e7fd9e
Tags: exeYahoo

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected HawkEye Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: vbc.exe.968.3.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 36%
Multi AV Scanner detection for submitted file
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe ReversingLabs: Detection: 36%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack Avira: Label: TR/Inject.vcoldi
Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack Avira: Label: TR/Inject.vcoldi
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 11.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack Avira: Label: TR/Inject.vcoldi
Source: 8.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 8.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack Avira: Label: TR/Inject.vcoldi
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack Avira: Label: TR/Inject.vcoldi
Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack Avira: Label: TR/Inject.vcoldi

Compliance:

barindex
Uses 32bit PE files
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses new MSVCR Dlls
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: rsaenh.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: 1:pC:\Windows\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
Source: Binary string: wkernel32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: bcrypt.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: ws2_32.pdb0up source: WERD288.tmp.mdmp.6.dr
Source: Binary string: ucrtbase.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.Configuration.pdbKt0 source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wbemcomn.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: NapiNSP.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: msvcrt.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wrpcrt4.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wntdll.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb:p source: WERD288.tmp.mdmp.6.dr
Source: Binary string: powrprof.pdbBuP source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscoreei.pdbOs source: WERD288.tmp.mdmp.6.dr
Source: Binary string: winnsi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscms.pdbQn source: WERD288.tmp.mdmp.6.dr
Source: Binary string: cryptsp.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: C:\Windows\mscorlib.pdbd source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wsspicli.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: msi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: CLBCatQ.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: ntmarta.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: dhcpcsvc.pdbFp@ source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wwin32u.pdbup source: WERD288.tmp.mdmp.6.dr
Source: Binary string: cryptsp.pdb`t0 source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wkernelbase.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: psapi.pdb7u` source: WERD288.tmp.mdmp.6.dr
Source: Binary string: shlwapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: version.pdbht source: WERD288.tmp.mdmp.6.dr
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe
Source: Binary string: mscorjit.pdbbt source: WERD288.tmp.mdmp.6.dr
Source: Binary string: ODBC32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe
Source: Binary string: dwmapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscoree.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: Windows.Storage.pdbcw source: WERD288.tmp.mdmp.6.dr
Source: Binary string: ws2_32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorlib.pdbDr source: WERD288.tmp.mdmp.6.dr
Source: Binary string: msasn1.pdb8u source: WERD288.tmp.mdmp.6.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: iphlpapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: nsi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorlib.pdb6 source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb2o source: WERD288.tmp.mdmp.6.dr
Source: Binary string: powrprof.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.Configuration.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: ole32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: rlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp, WERD288.tmp.mdmp.6.dr
Source: Binary string: DWrite.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: cfgmgr32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.Drawing.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.Management.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: combase.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: Windows.Storage.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: dhcpcsvc6.pdb]s0 source: WERD288.tmp.mdmp.6.dr
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: apphelp.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: rasadhlp.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: dwmapi.pdbHt0 source: WERD288.tmp.mdmp.6.dr
Source: Binary string: pnrpnsp.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: cryptbase.pdbjt source: WERD288.tmp.mdmp.6.dr
Source: Binary string: ColorAdapterClient.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wsspicli.pdbkt source: WERD288.tmp.mdmp.6.dr
Source: Binary string: shcore.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: fltLib.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: shell32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: msvcr80.i386.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: msvcp_win.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: dpapi.pdbxs source: WERD288.tmp.mdmp.6.dr
Source: Binary string: shfolder.pdbit`F source: WERD288.tmp.mdmp.6.dr
Source: Binary string: dnsapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: rasapi32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.Runtime.Remoting.pdb*p source: WERD288.tmp.mdmp.6.dr
Source: Binary string: userenv.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wimm32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wwin32u.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: nlaapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: userenv.pdbqs source: WERD288.tmp.mdmp.6.dr
Source: Binary string: winnsi.pdbds source: WERD288.tmp.mdmp.6.dr
Source: Binary string: winhttp.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wUxTheme.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: DDsymbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
Source: Binary string: wmiutils.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: gdiplus.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorlib.pdbH source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
Source: Binary string: rtutils.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorwks.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: profapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: dhcpcsvc6.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: Kernel.Appcore.pdbGu source: WERD288.tmp.mdmp.6.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wgdi32full.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorjit.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: sechost.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: winhttp.pdb p source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscoree.pdbWsP source: WERD288.tmp.mdmp.6.dr
Source: Binary string: shfolder.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wgdi32full.pdbmt@ source: WERD288.tmp.mdmp.6.dr
Source: Binary string: rasman.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: fastprox.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wbemsvc.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: winrnr.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.Drawing.pdb@ source: WERD288.tmp.mdmp.6.dr
Source: Binary string: msctf.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe
Source: Binary string: System.Runtime.Remoting.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wmswsock.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: version.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: rsaenh.pdb]t source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.Xml.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscms.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorrc.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.304520747.000000001B140000.00000002.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: Kernel.Appcore.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: WMINet_Utils.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: psapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: fwpuclnt.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: bcrypt.pdb[t source: WERD288.tmp.mdmp.6.dr
Source: Binary string: cryptbase.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wuser32.pdb@w source: WERD288.tmp.mdmp.6.dr
Source: Binary string: bcryptprimitives.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscoreei.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: nlaapi.pdb5o0 source: WERD288.tmp.mdmp.6.dr
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
Source: Binary string: msvcp_win.pdb[w source: WERD288.tmp.mdmp.6.dr
Source: Binary string: oleaut32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wuser32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wbemprox.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WERD288.tmp.mdmp.6.dr

Spreading:

barindex
May infect USB drives
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Binary or memory string: autorun.inf
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Binary or memory string: [autorun]
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: autorun.inf
Source: WindowsUpdate.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: autorun.inf
Source: WindowsUpdate.exe Binary or memory string: [autorun]
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00404A29 FindFirstFileExW, 0_2_00404A29
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00B018BD FindFirstFileExA, 0_2_00B018BD
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00B01BA6 FindFirstFileExW,FindClose,FindNextFileW, 0_2_00B01BA6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 2_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 3_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 3_2_00407E0E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00404A29 FindFirstFileExW, 8_2_00404A29
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F018BD FindFirstFileExA, 8_2_00F018BD
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F01BA6 FindFirstFileExW,FindClose,FindNextFileW, 8_2_00F01BA6
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F01D5C FindFirstFileExW, 8_2_00F01D5C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F01D31 FindFirstFileExA, 8_2_00F01D31
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00404A29 FindFirstFileExW, 11_2_00404A29
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F018BD FindFirstFileExA, 11_2_00F018BD
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F01BA6 FindFirstFileExW,FindClose,FindNextFileW, 11_2_00F01BA6
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F01D5C FindFirstFileExW, 11_2_00F01D5C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F01D31 FindFirstFileExA, 11_2_00F01D31

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 8_2_1AE40728
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 11_2_1C940728

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.155.36 104.16.155.36
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: WindowsUpdate.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000003.00000003.245528532.00000000008BC000.00000004.00000001.sdmp String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
Source: vbc.exe, 00000003.00000003.245528532.00000000008BC000.00000004.00000001.sdmp String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: whatismyipaddress.com
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222007881.000000001F12D000.00000004.00000001.sdmp String found in binary or memory: http://en.w
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 00000008.00000002.308158001.000000001CC12000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312377035.000000001CCB1000.00000004.00000001.sdmp String found in binary or memory: http://foo.com/fooT
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: WindowsUpdate.exe String found in binary or memory: http://whatismyipaddress.com/
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.224519756.000000001F137000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223535347.000000001F138000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com.12
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comItaf
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comeci
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223535347.000000001F138000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comitk.
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comypo
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.228030667.000000001F12D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.228030667.000000001F12D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersB
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalic
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comceco
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn(
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnBm
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnxmQ
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.227248438.000000001F12F000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: WindowsUpdate.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: WindowsUpdate.exe String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
Source: Yara match File source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs .Net Code: HookKeyboard
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs .Net Code: HookKeyboard
Installs a global keyboard hook
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 2_2_0040AC8A
Creates a DirectInput object (often for capturing keystrokes)
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.301871315.000000000164A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: initial sample Static PE information: Filename: PO 2010029_pdf Quotation from Alibaba Ale.exe
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 3_2_00408836
Detected potential crypto function
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_0040A2A5 0_2_0040A2A5
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00B140F1 0_2_00B140F1
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00B121EF 0_2_00B121EF
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AE012A 0_2_00AE012A
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AEA20A 0_2_00AEA20A
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00B1526F 0_2_00B1526F
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AE0352 0_2_00AE0352
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00B145ED 0_2_00B145ED
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AE05C2 0_2_00AE05C2
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00B0975E 0_2_00B0975E
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AED8C0 0_2_00AED8C0
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AE0823 0_2_00AE0823
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AD3998 0_2_00AD3998
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AE0A84 0_2_00AE0A84
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00ADFA9C 0_2_00ADFA9C
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00B14A05 0_2_00B14A05
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00B0ABCC 0_2_00B0ABCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_00404DDB 2_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_0040BD8A 2_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_00404E4C 2_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_00404EBD 2_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_00404F4E 2_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00404419 3_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00404516 3_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00413538 3_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_004145A1 3_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0040E639 3_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_004337AF 3_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_004399B1 3_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0043DAE7 3_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00405CF6 3_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00403F85 3_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00411F99 3_2_00411F99
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_0040A2A5 8_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F140F1 8_2_00F140F1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F121EF 8_2_00F121EF
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EE012A 8_2_00EE012A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EE0352 8_2_00EE0352
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EE05C2 8_2_00EE05C2
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F0975E 8_2_00F0975E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EED8C0 8_2_00EED8C0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EE0823 8_2_00EE0823
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00ED3998 8_2_00ED3998
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EE0A84 8_2_00EE0A84
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EDFA9C 8_2_00EDFA9C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F0ABCC 8_2_00F0ABCC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EDFCC4 8_2_00EDFCC4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F0DDAA 8_2_00F0DDAA
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EEDD60 8_2_00EEDD60
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EEAEE0 8_2_00EEAEE0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EDFEF7 8_2_00EDFEF7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F0DED7 8_2_00F0DED7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EECFA0 8_2_00EECFA0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_1C882DC7 8_2_1C882DC7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_1C883164 8_2_1C883164
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_0040A2A5 11_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F140F1 11_2_00F140F1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F121EF 11_2_00F121EF
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EE012A 11_2_00EE012A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F1526F 11_2_00F1526F
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EEA20A 11_2_00EEA20A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EE0352 11_2_00EE0352
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F145ED 11_2_00F145ED
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EE05C2 11_2_00EE05C2
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F0975E 11_2_00F0975E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EED8C0 11_2_00EED8C0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EE0823 11_2_00EE0823
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00ED3998 11_2_00ED3998
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EE0A84 11_2_00EE0A84
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EDFA9C 11_2_00EDFA9C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F14A05 11_2_00F14A05
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F0ABCC 11_2_00F0ABCC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EDFCC4 11_2_00EDFCC4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F0DDAA 11_2_00F0DDAA
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EEDD60 11_2_00EEDD60
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EEAEE0 11_2_00EEAEE0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EDFEF7 11_2_00EDFEF7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F0DED7 11_2_00F0DED7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F14E3A 11_2_00F14E3A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EECFA0 11_2_00EECFA0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_1C963164 11_2_1C963164
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_1C962EE2 11_2_1C962EE2
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: String function: 00AF894D appears 46 times
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: String function: 00AD1080 appears 69 times
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: String function: 00AF63DC appears 32 times
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: String function: 00AD1BB0 appears 58 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00EF894D appears 88 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00ED302C appears 44 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00ED1080 appears 176 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00401ED0 appears 44 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 0040569E appears 36 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00EF63DC appears 85 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00ED2AC1 appears 36 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00ED9F33 appears 44 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00ED1BB0 appears 157 times
One or more processes crash
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2216
PE file contains strange resources
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Binary or memory string: OriginalFilename vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Binary or memory string: OriginalFileName vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321027884.0000000021BD0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.304520747.000000001B140000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO 2010029_pdf Quotation from Alibaba Ale.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: security.dll Jump to behavior
Uses 32bit PE files
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.ad0000.1.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.ed0000.1.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 8.2.WindowsUpdate.exe.ed0000.1.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 8.0.WindowsUpdate.exe.ed0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 0.0.PO 2010029_pdf Quotation from Alibaba Ale.exe.ad0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.WindowsUpdate.exe.ed0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@10/13@1/3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 3_2_00415AFD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 3_2_00415F87
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle, 3_2_00411196
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, 0_2_00401489
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File created: C:\Users\user\AppData\Roaming\pid.txt Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2148
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB95.tmp Jump to behavior
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: WindowsUpdate.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: WindowsUpdate.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: WindowsUpdate.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: WindowsUpdate.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: WindowsUpdate.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: WindowsUpdate.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File read: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe 'C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2216
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 2244
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2216 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static file information: File size 1074688 > 1048576
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: rsaenh.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: 1:pC:\Windows\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
Source: Binary string: wkernel32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: bcrypt.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: ws2_32.pdb0up source: WERD288.tmp.mdmp.6.dr
Source: Binary string: ucrtbase.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.Configuration.pdbKt0 source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wbemcomn.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: NapiNSP.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: msvcrt.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wrpcrt4.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wntdll.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb:p source: WERD288.tmp.mdmp.6.dr
Source: Binary string: powrprof.pdbBuP source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscoreei.pdbOs source: WERD288.tmp.mdmp.6.dr
Source: Binary string: winnsi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscms.pdbQn source: WERD288.tmp.mdmp.6.dr
Source: Binary string: cryptsp.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: C:\Windows\mscorlib.pdbd source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wsspicli.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: msi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: CLBCatQ.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: ntmarta.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: dhcpcsvc.pdbFp@ source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wwin32u.pdbup source: WERD288.tmp.mdmp.6.dr
Source: Binary string: cryptsp.pdb`t0 source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wkernelbase.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: psapi.pdb7u` source: WERD288.tmp.mdmp.6.dr
Source: Binary string: shlwapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: version.pdbht source: WERD288.tmp.mdmp.6.dr
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe
Source: Binary string: mscorjit.pdbbt source: WERD288.tmp.mdmp.6.dr
Source: Binary string: ODBC32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe
Source: Binary string: dwmapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscoree.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: Windows.Storage.pdbcw source: WERD288.tmp.mdmp.6.dr
Source: Binary string: ws2_32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorlib.pdbDr source: WERD288.tmp.mdmp.6.dr
Source: Binary string: msasn1.pdb8u source: WERD288.tmp.mdmp.6.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: iphlpapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: nsi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorlib.pdb6 source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb2o source: WERD288.tmp.mdmp.6.dr
Source: Binary string: powrprof.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.Configuration.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: ole32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: rlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp, WERD288.tmp.mdmp.6.dr
Source: Binary string: DWrite.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: cfgmgr32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.Drawing.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.Management.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: combase.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: Windows.Storage.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: dhcpcsvc6.pdb]s0 source: WERD288.tmp.mdmp.6.dr
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: apphelp.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: rasadhlp.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: dwmapi.pdbHt0 source: WERD288.tmp.mdmp.6.dr
Source: Binary string: pnrpnsp.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: cryptbase.pdbjt source: WERD288.tmp.mdmp.6.dr
Source: Binary string: ColorAdapterClient.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wsspicli.pdbkt source: WERD288.tmp.mdmp.6.dr
Source: Binary string: shcore.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: fltLib.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: shell32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: msvcr80.i386.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: msvcp_win.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: dpapi.pdbxs source: WERD288.tmp.mdmp.6.dr
Source: Binary string: shfolder.pdbit`F source: WERD288.tmp.mdmp.6.dr
Source: Binary string: dnsapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: rasapi32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.Runtime.Remoting.pdb*p source: WERD288.tmp.mdmp.6.dr
Source: Binary string: userenv.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wimm32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wwin32u.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: nlaapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: userenv.pdbqs source: WERD288.tmp.mdmp.6.dr
Source: Binary string: winnsi.pdbds source: WERD288.tmp.mdmp.6.dr
Source: Binary string: winhttp.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wUxTheme.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: DDsymbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
Source: Binary string: wmiutils.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: gdiplus.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorlib.pdbH source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
Source: Binary string: rtutils.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorwks.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: profapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: dhcpcsvc6.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: Kernel.Appcore.pdbGu source: WERD288.tmp.mdmp.6.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wgdi32full.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorjit.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: sechost.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: winhttp.pdb p source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscoree.pdbWsP source: WERD288.tmp.mdmp.6.dr
Source: Binary string: shfolder.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wgdi32full.pdbmt@ source: WERD288.tmp.mdmp.6.dr
Source: Binary string: rasman.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: fastprox.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wbemsvc.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: winrnr.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.Drawing.pdb@ source: WERD288.tmp.mdmp.6.dr
Source: Binary string: msctf.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe
Source: Binary string: System.Runtime.Remoting.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wmswsock.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: version.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: rsaenh.pdb]t source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.Xml.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: System.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscms.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscorrc.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.304520747.000000001B140000.00000002.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: Kernel.Appcore.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: WMINet_Utils.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: psapi.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: fwpuclnt.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: bcrypt.pdb[t source: WERD288.tmp.mdmp.6.dr
Source: Binary string: cryptbase.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wuser32.pdb@w source: WERD288.tmp.mdmp.6.dr
Source: Binary string: bcryptprimitives.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: mscoreei.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: nlaapi.pdb5o0 source: WERD288.tmp.mdmp.6.dr
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
Source: Binary string: msvcp_win.pdb[w source: WERD288.tmp.mdmp.6.dr
Source: Binary string: oleaut32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wuser32.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: wbemprox.pdb source: WERD288.tmp.mdmp.6.dr
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WERD288.tmp.mdmp.6.dr
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA, 2_2_00404837
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00401F16 push ecx; ret 0_2_00401F29
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AD1BF6 push ecx; ret 0_2_00AD1C09
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_00411879 push ecx; ret 2_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_004118A0 push eax; ret 2_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_004118A0 push eax; ret 2_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00442871 push ecx; ret 3_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00442A90 push eax; ret 3_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00442A90 push eax; ret 3_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00446E54 push eax; ret 3_2_00446E61
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00401F16 push ecx; ret 8_2_00401F29
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00ED1BF6 push ecx; ret 8_2_00ED1C09
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00401F16 push ecx; ret 11_2_00401F29
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00ED1BF6 push ecx; ret 11_2_00ED1C09

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File created: \po 2010029_pdf quotation from alibaba ale.exe Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File created: \po 2010029_pdf quotation from alibaba ale.exe Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File created: \po 2010029_pdf quotation from alibaba ale.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon (5001).png
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_0040F64B
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 3_2_00408836
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Thread delayed: delay time: 1500000 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 5924 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6072 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6004 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 1380 Thread sleep time: -1500000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6840 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5780 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6360 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00404A29 FindFirstFileExW, 0_2_00404A29
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00B018BD FindFirstFileExA, 0_2_00B018BD
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00B01BA6 FindFirstFileExW,FindClose,FindNextFileW, 0_2_00B01BA6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 2_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 3_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 3_2_00407E0E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00404A29 FindFirstFileExW, 8_2_00404A29
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F018BD FindFirstFileExA, 8_2_00F018BD
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F01BA6 FindFirstFileExW,FindClose,FindNextFileW, 8_2_00F01BA6
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F01D5C FindFirstFileExW, 8_2_00F01D5C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F01D31 FindFirstFileExA, 8_2_00F01D31
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00404A29 FindFirstFileExW, 11_2_00404A29
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F018BD FindFirstFileExA, 11_2_00F018BD
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F01BA6 FindFirstFileExW,FindClose,FindNextFileW, 11_2_00F01BA6
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F01D5C FindFirstFileExW, 11_2_00F01D5C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F01D31 FindFirstFileExA, 11_2_00F01D31
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_004161B0 memset,GetSystemInfo, 3_2_004161B0
Source: WindowsUpdate.exe, 0000000B.00000003.301585581.000000000166C000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.301923048.0000000001677000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZZ|
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040446F
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 3_2_00408836
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA, 2_2_00404837
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_004035F1 mov eax, dword ptr fs:[00000030h] 0_2_004035F1
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00B17B00 mov eax, dword ptr fs:[00000030h] 0_2_00B17B00
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AD90B9 mov eax, dword ptr fs:[00000030h] 0_2_00AD90B9
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AD9077 mov eax, dword ptr fs:[00000030h] 0_2_00AD9077
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AF6492 mov eax, dword ptr fs:[00000030h] 0_2_00AF6492
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AF64EE mov eax, dword ptr fs:[00000030h] 0_2_00AF64EE
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AF640A mov eax, dword ptr fs:[00000030h] 0_2_00AF640A
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AF644E mov eax, dword ptr fs:[00000030h] 0_2_00AF644E
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AF65A5 mov eax, dword ptr fs:[00000030h] 0_2_00AF65A5
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AF65EA mov eax, dword ptr fs:[00000030h] 0_2_00AF65EA
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AF662F mov eax, dword ptr fs:[00000030h] 0_2_00AF662F
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AF6662 mov eax, dword ptr fs:[00000030h] 0_2_00AF6662
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_004035F1 mov eax, dword ptr fs:[00000030h] 8_2_004035F1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00F17B00 mov eax, dword ptr fs:[00000030h] 8_2_00F17B00
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00ED90B9 mov eax, dword ptr fs:[00000030h] 8_2_00ED90B9
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00ED9077 mov eax, dword ptr fs:[00000030h] 8_2_00ED9077
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EF64EE mov eax, dword ptr fs:[00000030h] 8_2_00EF64EE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EF6492 mov eax, dword ptr fs:[00000030h] 8_2_00EF6492
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EF644E mov eax, dword ptr fs:[00000030h] 8_2_00EF644E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EF640A mov eax, dword ptr fs:[00000030h] 8_2_00EF640A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EF65EA mov eax, dword ptr fs:[00000030h] 8_2_00EF65EA
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EF65A5 mov eax, dword ptr fs:[00000030h] 8_2_00EF65A5
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EF6662 mov eax, dword ptr fs:[00000030h] 8_2_00EF6662
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EF662F mov eax, dword ptr fs:[00000030h] 8_2_00EF662F
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_004035F1 mov eax, dword ptr fs:[00000030h] 11_2_004035F1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F17B00 mov eax, dword ptr fs:[00000030h] 11_2_00F17B00
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00ED90B9 mov eax, dword ptr fs:[00000030h] 11_2_00ED90B9
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00ED9077 mov eax, dword ptr fs:[00000030h] 11_2_00ED9077
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EF64EE mov eax, dword ptr fs:[00000030h] 11_2_00EF64EE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EF6492 mov eax, dword ptr fs:[00000030h] 11_2_00EF6492
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EF644E mov eax, dword ptr fs:[00000030h] 11_2_00EF644E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EF640A mov eax, dword ptr fs:[00000030h] 11_2_00EF640A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EF65EA mov eax, dword ptr fs:[00000030h] 11_2_00EF65EA
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EF65A5 mov eax, dword ptr fs:[00000030h] 11_2_00EF65A5
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EF6662 mov eax, dword ptr fs:[00000030h] 11_2_00EF6662
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EF662F mov eax, dword ptr fs:[00000030h] 11_2_00EF662F
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00F17F90 mov eax, dword ptr fs:[00000030h] 11_2_00F17F90
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_004067FE GetProcessHeap, 0_2_004067FE
Enables debug privileges
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00401E1D SetUnhandledExceptionFilter, 0_2_00401E1D
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040446F
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00401C88
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00401F30
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AD1AF5 SetUnhandledExceptionFilter, 0_2_00AD1AF5
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AF66D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00AF66D3
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00AD1963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00AD1963
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00401E1D SetUnhandledExceptionFilter, 8_2_00401E1D
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_0040446F
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00401C88
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00401F30
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00ED1AF5 SetUnhandledExceptionFilter, 8_2_00ED1AF5
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00EF66D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00EF66D3
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00ED1963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00ED1963
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00ED1DDE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00ED1DDE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00401E1D SetUnhandledExceptionFilter, 11_2_00401E1D
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_0040446F
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00401C88
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00401F30
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00ED1AF5 SetUnhandledExceptionFilter, 11_2_00ED1AF5
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00EF66D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00EF66D3
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00ED1963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00ED1963
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00ED1DDE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00ED1DDE
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2216 Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_0040208D cpuid 0_2_0040208D
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00B06054
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: EnumSystemLocalesW, 0_2_00AF8376
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: EnumSystemLocalesW, 0_2_00AF84D1
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: EnumSystemLocalesW, 0_2_00AF8450
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00B056EB
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: EnumSystemLocalesW, 0_2_00B059D7
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: EnumSystemLocalesW, 0_2_00B0596E
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: EnumSystemLocalesW, 0_2_00B05A72
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_00F06054
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: EnumSystemLocalesW, 8_2_00EF8376
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: EnumSystemLocalesW, 8_2_00EF84D1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 8_2_00F056EB
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: EnumSystemLocalesW, 8_2_00F059D7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: EnumSystemLocalesW, 8_2_00F0596E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: EnumSystemLocalesW, 8_2_00F05A72
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_00F05B00
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: GetLocaleInfoW, 8_2_00F05D50
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_00F05E79
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: GetLocaleInfoW, 8_2_00F05F81
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: GetLocaleInfoW, 8_2_00EF8F37
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 11_2_00F06054
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: EnumSystemLocalesW, 11_2_00EF8376
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: EnumSystemLocalesW, 11_2_00EF84D1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: EnumSystemLocalesW, 11_2_00EF8450
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 11_2_00F056EB
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: EnumSystemLocalesW, 11_2_00F059D7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: EnumSystemLocalesW, 11_2_00F0596E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: EnumSystemLocalesW, 11_2_00F05A72
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 11_2_00F05B00
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: GetLocaleInfoW, 11_2_00F05D50
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 11_2_00F05E79
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: GetLocaleInfoW, 11_2_00F05F81
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: GetLocaleInfoW, 11_2_00EF8F37
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00401B74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 2_2_0040724C
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Code function: 0_2_00B0E962 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_00B0E962
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 2_2_00406278 GetVersionExA, 2_2_00406278
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.301923048.0000000001677000.00000004.00000020.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
Source: Yara match File source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE
Yara detected MailPassView
Source: Yara match File source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6084, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
Source: Yara match File source: 2.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 2_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 2_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: ESMTPPassword 2_2_004033D7
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 968, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
Source: Yara match File source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe String found in binary or memory: HawkEyeKeylogger
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp String found in binary or memory: kr'&HawkEye_Keylogger_Execution_Confirmed_
Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp String found in binary or memory: kr#"HawkEye_Keylogger_Stealer_Records_
Source: WindowsUpdate.exe String found in binary or memory: HawkEyeKeylogger
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe String found in binary or memory: HawkEyeKeylogger
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
Source: Yara match File source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_1AEB0F6E bind, 8_2_1AEB0F6E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_1AEB0B5E listen, 8_2_1AEB0B5E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_1AEB0B20 listen, 8_2_1AEB0B20
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_1AEB0F3B bind, 8_2_1AEB0F3B
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_1EFB0B5E listen, 11_2_1EFB0B5E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_1EFB1096 bind, 11_2_1EFB1096
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_1EFB1063 bind, 11_2_1EFB1063
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_1EFB0B20 listen, 11_2_1EFB0B20
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341532 Sample: PO 2010029_pdf    Quotation... Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->40 42 11 other signatures 2->42 6 PO 2010029_pdf    Quotation  from Alibaba Ale.exe 16 8 2->6         started        11 WindowsUpdate.exe 5 2->11         started        13 WindowsUpdate.exe 4 2->13         started        process3 dnsIp4 30 whatismyipaddress.com 104.16.155.36, 49709, 80 CLOUDFLARENETUS United States 6->30 32 192.168.2.1 unknown unknown 6->32 24 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 6->24 dropped 26 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 6->26 dropped 44 Changes the view of files in windows explorer (hidden files and folders) 6->44 46 Writes to foreign memory regions 6->46 48 Allocates memory in foreign processes 6->48 54 3 other signatures 6->54 15 vbc.exe 1 6->15         started        18 vbc.exe 13 6->18         started        20 WerFault.exe 3 9 6->20         started        22 dw20.exe 22 6 6->22         started        34 127.0.0.1 unknown unknown 11->34 28 C:\Users\user\...\WindowsUpdate.exe.log, ASCII 11->28 dropped 50 Multi AV Scanner detection for dropped file 11->50 52 Machine Learning detection for dropped file 11->52 file5 signatures6 process7 signatures8 56 Tries to steal Mail credentials (via file registry) 15->56 58 Tries to steal Instant Messenger accounts or passwords 15->58 60 Tries to steal Mail credentials (via file access) 15->60 62 Tries to harvest and steal browser information (history, passwords, etc) 18->62
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.155.36
 unknown United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
whatismyipaddress.com 104.16.155.36 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://whatismyipaddress.com/ false
    		high