Loading ...

Play interactive tourEdit tour

Analysis Report PO 2010029_pdf Quotation from Alibaba Ale.exe

Overview

General Information

Sample Name:PO 2010029_pdf Quotation from Alibaba Ale.exe
Analysis ID:341532
MD5:eb59d99961c7636b4872e389da03cbc9
SHA1:22d5fb0f076a0d945596b7938e72b6b5cae73674
SHA256:4dd89aea31cfb64c8fa6b542c9ad002e4041ef5249f2072947df749e00e7fd9e
Tags:exeYahoo

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO 2010029_pdf Quotation from Alibaba Ale.exe (PID: 2148 cmdline: 'C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe' MD5: EB59D99961C7636B4872E389DA03CBC9)
    • dw20.exe (PID: 4636 cmdline: dw20.exe -x -s 2216 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
    • vbc.exe (PID: 6084 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • vbc.exe (PID: 968 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • WerFault.exe (PID: 6004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 2244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 4848 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: EB59D99961C7636B4872E389DA03CBC9)
  • WindowsUpdate.exe (PID: 6328 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: EB59D99961C7636B4872E389DA03CBC9)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b833:$key: HawkEyeKeylogger
  • 0x7dab7:$salt: 099u787978786
  • 0x7be96:$string1: HawkEye_Keylogger
  • 0x7cce9:$string1: HawkEye_Keylogger
  • 0x7da17:$string1: HawkEye_Keylogger
  • 0x7c27f:$string2: holdermail.txt
  • 0x7c29f:$string2: holdermail.txt
  • 0x7c1c1:$string3: wallet.dat
  • 0x7c1d9:$string3: wallet.dat
  • 0x7c1ef:$string3: wallet.dat
  • 0x7d5db:$string4: Keylog Records
  • 0x7d8f3:$string4: Keylog Records
  • 0x7db0f:$string5: do not script -->
  • 0x7b81b:$string6: \pidloc.txt
  • 0x7b8a9:$string7: BSPLIT
  • 0x7b8b9:$string7: BSPLIT
00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7beee:$hawkstr1: HawkEye Keylogger
        • 0x7cd2f:$hawkstr1: HawkEye Keylogger
        • 0x7d05e:$hawkstr1: HawkEye Keylogger
        • 0x7d1b9:$hawkstr1: HawkEye Keylogger
        • 0x7d31c:$hawkstr1: HawkEye Keylogger
        • 0x7d5b3:$hawkstr1: HawkEye Keylogger
        • 0x7ba7c:$hawkstr2: Dear HawkEye Customers!
        • 0x7d0b1:$hawkstr2: Dear HawkEye Customers!
        • 0x7d208:$hawkstr2: Dear HawkEye Customers!
        • 0x7d36f:$hawkstr2: Dear HawkEye Customers!
        • 0x7bb9d:$hawkstr3: HawkEye Logger Details:
        Click to see the 91 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.ad0000.1.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
          • 0x58eb7:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
          • 0x5883f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
          11.2.WindowsUpdate.exe.1c5f0000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x8908b:$key: HawkEyeKeylogger
          • 0x8b30f:$salt: 099u787978786
          • 0x896ee:$string1: HawkEye_Keylogger
          • 0x8a541:$string1: HawkEye_Keylogger
          • 0x8b26f:$string1: HawkEye_Keylogger
          • 0x89ad7:$string2: holdermail.txt
          • 0x89af7:$string2: holdermail.txt
          • 0x89a19:$string3: wallet.dat
          • 0x89a31:$string3: wallet.dat
          • 0x89a47:$string3: wallet.dat
          • 0x8ae33:$string4: Keylog Records
          • 0x8b14b:$string4: Keylog Records
          • 0x8b367:$string5: do not script -->
          • 0x89073:$string6: \pidloc.txt
          • 0x89101:$string7: BSPLIT
          • 0x89111:$string7: BSPLIT
          11.2.WindowsUpdate.exe.1c5f0000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            11.2.WindowsUpdate.exe.1c5f0000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              Click to see the 110 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: vbc.exe.968.3.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 36%
              Multi AV Scanner detection for submitted fileShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeReversingLabs: Detection: 36%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeJoe Sandbox ML: detected
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpackAvira: Label: TR/Inject.vcoldi
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpackAvira: Label: TR/Inject.vcoldi
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 11.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 11.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpackAvira: Label: TR/Inject.vcoldi
              Source: 8.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 8.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpackAvira: Label: TR/Inject.vcoldi
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpackAvira: Label: TR/Inject.vcoldi
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpackAvira: Label: TR/Inject.vcoldi

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Uses new MSVCR DllsShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Binary contains paths to debug symbolsShow sources
              Source: Binary string: rsaenh.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: 1:pC:\Windows\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: wkernel32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcrypt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ws2_32.pdb0up source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ucrtbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Configuration.pdbKt0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemcomn.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: NapiNSP.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcrt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wrpcrt4.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wntdll.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb:p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: powrprof.pdbBuP source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoreei.pdbOs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winnsi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscms.pdbQn source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptsp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\mscorlib.pdbd source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wsspicli.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: CLBCatQ.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ntmarta.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc.pdbFp@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wwin32u.pdbup source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptsp.pdb`t0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wkernelbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: psapi.pdb7u` source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shlwapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: version.pdbht source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe
              Source: Binary string: mscorjit.pdbbt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ODBC32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe
              Source: Binary string: dwmapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoree.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Windows.Storage.pdbcw source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ws2_32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbDr source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msasn1.pdb8u source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: iphlpapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nsi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdb6 source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: rasman.pdb2o source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: powrprof.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Configuration.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ole32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: msasn1.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp, WERD288.tmp.mdmp.6.dr
              Source: Binary string: DWrite.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cfgmgr32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Drawing.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Management.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: combase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Windows.Storage.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc6.pdb]s0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: dpapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: apphelp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasadhlp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dwmapi.pdbHt0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: pnrpnsp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptbase.pdbjt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ColorAdapterClient.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wsspicli.pdbkt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shcore.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fltLib.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shell32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcr80.i386.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcp_win.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dpapi.pdbxs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shfolder.pdbit`F source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dnsapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasapi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Runtime.Remoting.pdb*p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: userenv.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wimm32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wwin32u.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nlaapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: userenv.pdbqs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winnsi.pdbds source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winhttp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wUxTheme.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: DDsymbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: wmiutils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: gdiplus.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbH source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: rtutils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorwks.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: profapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc6.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Kernel.Appcore.pdbGu source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wgdi32full.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorjit.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: sechost.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winhttp.pdb p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoree.pdbWsP source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shfolder.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wgdi32full.pdbmt@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasman.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fastprox.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemsvc.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winrnr.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Drawing.pdb@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msctf.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe
              Source: Binary string: System.Runtime.Remoting.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wmswsock.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: version.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rsaenh.pdb]t source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Xml.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscms.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorrc.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.304520747.000000001B140000.00000002.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Kernel.Appcore.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: WMINet_Utils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: psapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fwpuclnt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcrypt.pdb[t source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wuser32.pdb@w source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcryptprimitives.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoreei.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nlaapi.pdb5o0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: msvcp_win.pdb[w source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: oleaut32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wuser32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemprox.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: crypt32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: autorun.inf
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: [autorun]
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: autorun.inf
              Source: WindowsUpdate.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: autorun.inf
              Source: WindowsUpdate.exeBinary or memory string: [autorun]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00404A29 FindFirstFileExW,0_2_00404A29
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B018BD FindFirstFileExA,0_2_00B018BD
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B01BA6 FindFirstFileExW,FindClose,FindNextFileW,0_2_00B01BA6
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,2_2_00406EC3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,3_2_00408441
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,3_2_00407E0E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00404A29 FindFirstFileExW,8_2_00404A29
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F018BD FindFirstFileExA,8_2_00F018BD
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01BA6 FindFirstFileExW,FindClose,FindNextFileW,8_2_00F01BA6
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01D5C FindFirstFileExW,8_2_00F01D5C
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01D31 FindFirstFileExA,8_2_00F01D31
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00404A29 FindFirstFileExW,11_2_00404A29
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F018BD FindFirstFileExA,11_2_00F018BD
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01BA6 FindFirstFileExW,FindClose,FindNextFileW,11_2_00F01BA6
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01D5C FindFirstFileExW,11_2_00F01D5C
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01D31 FindFirstFileExA,11_2_00F01D31
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]8_2_1AE40728
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_1C940728

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFUR