Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PO 2010029_pdf Quotation from Alibaba Ale.exe

Overview

General Information

Sample Name:PO 2010029_pdf Quotation from Alibaba Ale.exe
Analysis ID:341532
MD5:eb59d99961c7636b4872e389da03cbc9
SHA1:22d5fb0f076a0d945596b7938e72b6b5cae73674
SHA256:4dd89aea31cfb64c8fa6b542c9ad002e4041ef5249f2072947df749e00e7fd9e
Tags:exeYahoo

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO 2010029_pdf Quotation from Alibaba Ale.exe (PID: 2148 cmdline: 'C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe' MD5: EB59D99961C7636B4872E389DA03CBC9)
    • dw20.exe (PID: 4636 cmdline: dw20.exe -x -s 2216 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
    • vbc.exe (PID: 6084 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • vbc.exe (PID: 968 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • WerFault.exe (PID: 6004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 2244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 4848 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: EB59D99961C7636B4872E389DA03CBC9)
  • WindowsUpdate.exe (PID: 6328 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: EB59D99961C7636B4872E389DA03CBC9)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b833:$key: HawkEyeKeylogger
  • 0x7dab7:$salt: 099u787978786
  • 0x7be96:$string1: HawkEye_Keylogger
  • 0x7cce9:$string1: HawkEye_Keylogger
  • 0x7da17:$string1: HawkEye_Keylogger
  • 0x7c27f:$string2: holdermail.txt
  • 0x7c29f:$string2: holdermail.txt
  • 0x7c1c1:$string3: wallet.dat
  • 0x7c1d9:$string3: wallet.dat
  • 0x7c1ef:$string3: wallet.dat
  • 0x7d5db:$string4: Keylog Records
  • 0x7d8f3:$string4: Keylog Records
  • 0x7db0f:$string5: do not script -->
  • 0x7b81b:$string6: \pidloc.txt
  • 0x7b8a9:$string7: BSPLIT
  • 0x7b8b9:$string7: BSPLIT
00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7beee:$hawkstr1: HawkEye Keylogger
        • 0x7cd2f:$hawkstr1: HawkEye Keylogger
        • 0x7d05e:$hawkstr1: HawkEye Keylogger
        • 0x7d1b9:$hawkstr1: HawkEye Keylogger
        • 0x7d31c:$hawkstr1: HawkEye Keylogger
        • 0x7d5b3:$hawkstr1: HawkEye Keylogger
        • 0x7ba7c:$hawkstr2: Dear HawkEye Customers!
        • 0x7d0b1:$hawkstr2: Dear HawkEye Customers!
        • 0x7d208:$hawkstr2: Dear HawkEye Customers!
        • 0x7d36f:$hawkstr2: Dear HawkEye Customers!
        • 0x7bb9d:$hawkstr3: HawkEye Logger Details:
        Click to see the 91 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.ad0000.1.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
          • 0x58eb7:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
          • 0x5883f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
          11.2.WindowsUpdate.exe.1c5f0000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x8908b:$key: HawkEyeKeylogger
          • 0x8b30f:$salt: 099u787978786
          • 0x896ee:$string1: HawkEye_Keylogger
          • 0x8a541:$string1: HawkEye_Keylogger
          • 0x8b26f:$string1: HawkEye_Keylogger
          • 0x89ad7:$string2: holdermail.txt
          • 0x89af7:$string2: holdermail.txt
          • 0x89a19:$string3: wallet.dat
          • 0x89a31:$string3: wallet.dat
          • 0x89a47:$string3: wallet.dat
          • 0x8ae33:$string4: Keylog Records
          • 0x8b14b:$string4: Keylog Records
          • 0x8b367:$string5: do not script -->
          • 0x89073:$string6: \pidloc.txt
          • 0x89101:$string7: BSPLIT
          • 0x89111:$string7: BSPLIT
          11.2.WindowsUpdate.exe.1c5f0000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            11.2.WindowsUpdate.exe.1c5f0000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              Click to see the 110 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: vbc.exe.968.3.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 36%
              Multi AV Scanner detection for submitted fileShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeReversingLabs: Detection: 36%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeJoe Sandbox ML: detected
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpackAvira: Label: TR/Inject.vcoldi
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpackAvira: Label: TR/Inject.vcoldi
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 11.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 11.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpackAvira: Label: TR/Inject.vcoldi
              Source: 8.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 8.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpackAvira: Label: TR/Inject.vcoldi
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpackAvira: Label: TR/Inject.vcoldi
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpackAvira: Label: TR/Inject.vcoldi

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Uses new MSVCR DllsShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Binary contains paths to debug symbolsShow sources
              Source: Binary string: rsaenh.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: 1:pC:\Windows\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: wkernel32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcrypt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ws2_32.pdb0up source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ucrtbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Configuration.pdbKt0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemcomn.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: NapiNSP.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcrt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wrpcrt4.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wntdll.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb:p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: powrprof.pdbBuP source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoreei.pdbOs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winnsi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscms.pdbQn source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptsp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\mscorlib.pdbd source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wsspicli.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: CLBCatQ.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ntmarta.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc.pdbFp@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wwin32u.pdbup source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptsp.pdb`t0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wkernelbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: psapi.pdb7u` source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shlwapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: version.pdbht source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe
              Source: Binary string: mscorjit.pdbbt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ODBC32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe
              Source: Binary string: dwmapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoree.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Windows.Storage.pdbcw source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ws2_32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbDr source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msasn1.pdb8u source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: iphlpapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nsi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdb6 source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: rasman.pdb2o source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: powrprof.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Configuration.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ole32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: msasn1.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp, WERD288.tmp.mdmp.6.dr
              Source: Binary string: DWrite.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cfgmgr32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Drawing.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Management.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: combase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Windows.Storage.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc6.pdb]s0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: dpapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: apphelp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasadhlp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dwmapi.pdbHt0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: pnrpnsp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptbase.pdbjt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ColorAdapterClient.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wsspicli.pdbkt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shcore.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fltLib.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shell32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcr80.i386.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcp_win.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dpapi.pdbxs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shfolder.pdbit`F source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dnsapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasapi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Runtime.Remoting.pdb*p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: userenv.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wimm32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wwin32u.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nlaapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: userenv.pdbqs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winnsi.pdbds source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winhttp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wUxTheme.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: DDsymbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: wmiutils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: gdiplus.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbH source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: rtutils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorwks.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: profapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc6.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Kernel.Appcore.pdbGu source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wgdi32full.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorjit.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: sechost.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winhttp.pdb p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoree.pdbWsP source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shfolder.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wgdi32full.pdbmt@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasman.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fastprox.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemsvc.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winrnr.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Drawing.pdb@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msctf.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe
              Source: Binary string: System.Runtime.Remoting.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wmswsock.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: version.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rsaenh.pdb]t source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Xml.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscms.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorrc.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.304520747.000000001B140000.00000002.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Kernel.Appcore.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: WMINet_Utils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: psapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fwpuclnt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcrypt.pdb[t source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wuser32.pdb@w source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcryptprimitives.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoreei.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nlaapi.pdb5o0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: msvcp_win.pdb[w source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: oleaut32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wuser32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemprox.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: crypt32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: autorun.inf
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: [autorun]
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: autorun.inf
              Source: WindowsUpdate.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: autorun.inf
              Source: WindowsUpdate.exeBinary or memory string: [autorun]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B018BD FindFirstFileExA,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B01BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F018BD FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01D5C FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01D31 FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F018BD FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01D5C FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01D31 FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: WindowsUpdate.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000003.00000003.245528532.00000000008BC000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000003.00000003.245528532.00000000008BC000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: whatismyipaddress.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222007881.000000001F12D000.00000004.00000001.sdmpString found in binary or memory: http://en.w
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: WindowsUpdate.exe, 00000008.00000002.308158001.000000001CC12000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312377035.000000001CCB1000.00000004.00000001.sdmpString found in binary or memory: http://foo.com/fooT
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
              Source: WindowsUpdate.exeString found in binary or memory: http://whatismyipaddress.com/
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.224519756.000000001F137000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223535347.000000001F138000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.12
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comItaf
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comeci
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223535347.000000001F138000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comitk.
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypo
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.228030667.000000001F12D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.228030667.000000001F12D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceco
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn(
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnBm
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnxmQ
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.227248438.000000001F12F000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: WindowsUpdate.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: WindowsUpdate.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs.Net Code: HookKeyboard
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.301871315.000000000164A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: initial sampleStatic PE information: Filename: PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_0040A2A5
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B140F1
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B121EF
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AE012A
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AEA20A
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B1526F
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AE0352
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B145ED
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AE05C2
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B0975E
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AED8C0
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AE0823
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AD3998
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AE0A84
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00ADFA9C
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B14A05
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B0ABCC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404DDB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040BD8A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404E4C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404EBD
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404F4E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00404419
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00404516
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00413538
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004145A1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040E639
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004337AF
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004399B1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0043DAE7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00405CF6
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00403F85
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00411F99
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_0040A2A5
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F140F1
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F121EF
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EE012A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EE0352
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EE05C2
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F0975E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EED8C0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EE0823
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00ED3998
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EE0A84
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EDFA9C
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F0ABCC
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EDFCC4
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F0DDAA
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EEDD60
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EEAEE0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EDFEF7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F0DED7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EECFA0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_1C882DC7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_1C883164
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_0040A2A5
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F140F1
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F121EF
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EE012A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F1526F
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EEA20A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EE0352
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F145ED
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EE05C2
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F0975E
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EED8C0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EE0823
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00ED3998
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EE0A84
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EDFA9C
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F14A05
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F0ABCC
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EDFCC4
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F0DDAA
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EEDD60
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EEAEE0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EDFEF7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F0DED7
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F14E3A
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EECFA0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_1C963164
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_1C962EE2
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: String function: 00AF894D appears 46 times
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: String function: 00AD1080 appears 69 times
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: String function: 00AF63DC appears 32 times
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: String function: 00AD1BB0 appears 58 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00EF894D appears 88 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00ED302C appears 44 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00ED1080 appears 176 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00401ED0 appears 44 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 0040569E appears 36 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00EF63DC appears 85 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00ED2AC1 appears 36 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00ED9F33 appears 44 times
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00ED1BB0 appears 157 times
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2216
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WindowsUpdate.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: OriginalFilename vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeBinary or memory string: OriginalFileName vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321027884.0000000021BD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.304520747.000000001B140000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO 2010029_pdf Quotation from Alibaba Ale.exe
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection loaded: security.dll
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: security.dll
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: security.dll
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.ad0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.2.WindowsUpdate.exe.ed0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 8.2.WindowsUpdate.exe.ed0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 8.0.WindowsUpdate.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 0.0.PO 2010029_pdf Quotation from Alibaba Ale.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.0.WindowsUpdate.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@10/13@1/3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2148
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB95.tmpJump to behavior
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: WindowsUpdate.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: WindowsUpdate.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: WindowsUpdate.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: WindowsUpdate.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: WindowsUpdate.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: WindowsUpdate.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeReversingLabs: Detection: 36%
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile read: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe 'C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2216
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 2244
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2216
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic file information: File size 1074688 > 1048576
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: rsaenh.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: 1:pC:\Windows\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: wkernel32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcrypt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ws2_32.pdb0up source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ucrtbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Configuration.pdbKt0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemcomn.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: NapiNSP.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcrt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wrpcrt4.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wntdll.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb:p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: powrprof.pdbBuP source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoreei.pdbOs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winnsi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscms.pdbQn source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptsp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\mscorlib.pdbd source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wsspicli.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: CLBCatQ.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ntmarta.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc.pdbFp@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wwin32u.pdbup source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptsp.pdb`t0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wkernelbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: psapi.pdb7u` source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shlwapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: version.pdbht source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe
              Source: Binary string: mscorjit.pdbbt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ODBC32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe
              Source: Binary string: dwmapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoree.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Windows.Storage.pdbcw source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ws2_32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbDr source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msasn1.pdb8u source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: iphlpapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nsi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdb6 source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: rasman.pdb2o source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: powrprof.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Configuration.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ole32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: msasn1.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp, WERD288.tmp.mdmp.6.dr
              Source: Binary string: DWrite.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cfgmgr32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Drawing.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Management.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: combase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Windows.Storage.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc6.pdb]s0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: dpapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: apphelp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasadhlp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dwmapi.pdbHt0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: pnrpnsp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptbase.pdbjt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: ColorAdapterClient.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wsspicli.pdbkt source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shcore.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fltLib.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shell32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcr80.i386.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msvcp_win.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dpapi.pdbxs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shfolder.pdbit`F source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dnsapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasapi32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Runtime.Remoting.pdb*p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: userenv.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wimm32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wwin32u.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nlaapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: userenv.pdbqs source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winnsi.pdbds source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winhttp.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wUxTheme.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: DDsymbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: wmiutils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: gdiplus.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorlib.pdbH source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: rtutils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorwks.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: profapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: dhcpcsvc6.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Kernel.Appcore.pdbGu source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wgdi32full.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorjit.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: sechost.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winhttp.pdb p source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoree.pdbWsP source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: shfolder.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wgdi32full.pdbmt@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rasman.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fastprox.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemsvc.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: winrnr.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Drawing.pdb@ source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: msctf.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe
              Source: Binary string: System.Runtime.Remoting.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wmswsock.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: version.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: rsaenh.pdb]t source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.Xml.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: System.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscms.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscorrc.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.304520747.000000001B140000.00000002.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: Kernel.Appcore.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: WMINet_Utils.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: psapi.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: fwpuclnt.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcrypt.pdb[t source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: cryptbase.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wuser32.pdb@w source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: bcryptprimitives.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: mscoreei.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: nlaapi.pdb5o0 source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.321080904.0000000021E7A000.00000004.00000010.sdmp
              Source: Binary string: msvcp_win.pdb[w source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: oleaut32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wuser32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: wbemprox.pdb source: WERD288.tmp.mdmp.6.dr
              Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.312366191.000000001C847000.00000004.00000040.sdmp
              Source: Binary string: crypt32.pdb source: WERD288.tmp.mdmp.6.dr
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401F16 push ecx; ret
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AD1BF6 push ecx; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00411879 push ecx; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004118A0 push eax; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004118A0 push eax; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00442871 push ecx; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00442A90 push eax; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00442A90 push eax; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00446E54 push eax; ret
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00401F16 push ecx; ret
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00ED1BF6 push ecx; ret
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00401F16 push ecx; ret
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00ED1BF6 push ecx; ret
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: \po 2010029_pdf quotation from alibaba ale.exe
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: \po 2010029_pdf quotation from alibaba ale.exe
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: \po 2010029_pdf quotation from alibaba ale.exe
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (5001).png
              Changes the view of files in windows explorer (hidden files and folders)Show sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeThread delayed: delay time: 1500000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeThread delayed: delay time: 180000
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 5924Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6072Thread sleep time: -120000s >= -30000s
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6004Thread sleep time: -140000s >= -30000s
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 1380Thread sleep time: -1500000s >= -30000s
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe TID: 6840Thread sleep time: -180000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5780Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6360Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B018BD FindFirstFileExA,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B01BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F018BD FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01D5C FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F01D31 FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F018BD FindFirstFileExA,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01BA6 FindFirstFileExW,FindClose,FindNextFileW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01D5C FindFirstFileExW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F01D31 FindFirstFileExA,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004161B0 memset,GetSystemInfo,
              Source: WindowsUpdate.exe, 0000000B.00000003.301585581.000000000166C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.301923048.0000000001677000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZZ|
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.320060762.0000000021310000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_004035F1 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B17B00 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AD90B9 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AD9077 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF6492 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF64EE mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF640A mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF644E mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF65A5 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF65EA mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF662F mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF6662 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_004035F1 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00F17B00 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00ED90B9 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00ED9077 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF64EE mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF6492 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF644E mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF640A mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF65EA mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF65A5 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF6662 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF662F mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_004035F1 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F17B00 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00ED90B9 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00ED9077 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF64EE mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF6492 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF644E mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF640A mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF65EA mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF65A5 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF6662 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF662F mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00F17F90 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_004067FE GetProcessHeap,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401E1D SetUnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AD1AF5 SetUnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AF66D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00AD1963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00401E1D SetUnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00ED1AF5 SetUnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00EF66D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00ED1963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00ED1DDE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00401E1D SetUnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00ED1AF5 SetUnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00EF66D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00ED1963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00ED1DDE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              .NET source code references suspicious native API functionsShow sources
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
              Sample uses process hollowing techniqueShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2216
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_0040208D cpuid
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: EnumSystemLocalesW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeCode function: 0_2_00B0E962 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00406278 GetVersionExA,
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.301923048.0000000001677000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
              Source: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

              Stealing of Sensitive Information:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE
              Yara detected MailPassViewShow sources
              Source: Yara matchFile source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6084, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
              Source: Yara matchFile source: 2.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Tries to steal Instant Messenger accounts or passwordsShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
              Tries to steal Mail credentials (via file registry)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
              Yara detected WebBrowserPassView password recovery toolShow sources
              Source: Yara matchFile source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 968, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Detected HawkEye RatShow sources
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeString found in binary or memory: HawkEyeKeylogger
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmpString found in binary or memory: kr'&HawkEye_Keylogger_Execution_Confirmed_
              Source: PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmpString found in binary or memory: kr#"HawkEye_Keylogger_Stealer_Records_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEyeKeylogger
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
              Source: WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEyeKeylogger
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
              Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
              Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 4848, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148, type: MEMORY
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ad90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1ee40000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1c5f0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1eed0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.WindowsUpdate.exe.1c5f0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.WindowsUpdate.exe.1ee00000.5.raw.unpack, type: UNPACKEDPE
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_1AEB0F6E bind,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_1AEB0B5E listen,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_1AEB0B20 listen,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_1AEB0F3B bind,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_1EFB0B5E listen,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_1EFB1096 bind,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_1EFB1063 bind,
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_1EFB0B20 listen,

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Replication Through Removable Media1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery2Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsNative API11Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11Input Capture211Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsShared Modules1Registry Run Keys / Startup Folder1Process Injection411Obfuscated Files or Information3Credentials in Registry2Account Discovery1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing11Credentials In Files1File and Directory Discovery1Distributed Component Object ModelInput Capture211Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery38SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsSecurity Software Discovery161VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion3DCSyncVirtualization/Sandbox Evasion3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection411Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
              Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Network Configuration Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 341532 Sample: PO 2010029_pdf    Quotation... Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->40 42 11 other signatures 2->42 6 PO 2010029_pdf    Quotation  from Alibaba Ale.exe 16 8 2->6         started        11 WindowsUpdate.exe 5 2->11         started        13 WindowsUpdate.exe 4 2->13         started        process3 dnsIp4 30 whatismyipaddress.com 104.16.155.36, 49709, 80 CLOUDFLARENETUS United States 6->30 32 192.168.2.1 unknown unknown 6->32 24 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 6->24 dropped 26 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 6->26 dropped 44 Changes the view of files in windows explorer (hidden files and folders) 6->44 46 Writes to foreign memory regions 6->46 48 Allocates memory in foreign processes 6->48 54 3 other signatures 6->54 15 vbc.exe 1 6->15         started        18 vbc.exe 13 6->18         started        20 WerFault.exe 3 9 6->20         started        22 dw20.exe 22 6 6->22         started        34 127.0.0.1 unknown unknown 11->34 28 C:\Users\user\...\WindowsUpdate.exe.log, ASCII 11->28 dropped 50 Multi AV Scanner detection for dropped file 11->50 52 Machine Learning detection for dropped file 11->52 file5 signatures6 process7 signatures8 56 Tries to steal Mail credentials (via file registry) 15->56 58 Tries to steal Instant Messenger accounts or passwords 15->58 60 Tries to steal Mail credentials (via file access) 15->60 62 Tries to harvest and steal browser information (history, passwords, etc) 18->62

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PO 2010029_pdf Quotation from Alibaba Ale.exe37%ReversingLabsWin32.Backdoor.NanoBot
              PO 2010029_pdf Quotation from Alibaba Ale.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\WindowsUpdate.exe37%ReversingLabsWin32.Backdoor.NanoBot

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              11.2.WindowsUpdate.exe.ed0000.1.unpack100%AviraHEUR/AGEN.1138127Download File
              3.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
              11.2.WindowsUpdate.exe.1ee40000.4.unpack100%AviraTR/Inject.vcoldiDownload File
              8.2.WindowsUpdate.exe.1c5f0000.4.unpack100%AviraTR/Inject.vcoldiDownload File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.ad0000.1.unpack100%AviraHEUR/AGEN.1138127Download File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
              0.0.PO 2010029_pdf Quotation from Alibaba Ale.exe.ad0000.0.unpack100%AviraHEUR/AGEN.1138127Download File
              8.2.WindowsUpdate.exe.1ad90000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
              8.2.WindowsUpdate.exe.1ad90000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
              11.2.WindowsUpdate.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              11.2.WindowsUpdate.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
              8.2.WindowsUpdate.exe.ed0000.1.unpack100%AviraHEUR/AGEN.1138127Download File
              11.2.WindowsUpdate.exe.1c5f0000.3.unpack100%AviraTR/Inject.vcoldiDownload File
              8.2.WindowsUpdate.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              8.2.WindowsUpdate.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack100%AviraTR/AD.MExecute.lzracDownload File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1efe0000.6.unpack100%AviraSPR/Tool.MailPassView.473Download File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1c6f0000.4.unpack100%AviraTR/Inject.vcoldiDownload File
              8.0.WindowsUpdate.exe.ed0000.0.unpack100%AviraHEUR/AGEN.1138127Download File
              0.2.PO 2010029_pdf Quotation from Alibaba Ale.exe.1ef40000.5.unpack100%AviraTR/Inject.vcoldiDownload File
              11.2.WindowsUpdate.exe.1eed0000.5.unpack100%AviraTR/AD.MExecute.lzracDownload File
              11.2.WindowsUpdate.exe.1eed0000.5.unpack100%AviraSPR/Tool.MailPassView.473Download File
              11.0.WindowsUpdate.exe.ed0000.0.unpack100%AviraHEUR/AGEN.1138127Download File
              8.2.WindowsUpdate.exe.1ee00000.5.unpack100%AviraTR/Inject.vcoldiDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.carterandcone.com.120%Avira URL Cloudsafe
              http://www.founder.com.cn/cnBm0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.carterandcone.comItaf0%Avira URL Cloudsafe
              http://foo.com/fooT0%Avira URL Cloudsafe
              http://www.carterandcone.comeci0%Avira URL Cloudsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.fontbureau.comceco0%Avira URL Cloudsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://en.w0%URL Reputationsafe
              http://en.w0%URL Reputationsafe
              http://en.w0%URL Reputationsafe
              http://www.carterandcone.comypo0%Avira URL Cloudsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.founder.com.cn/cnxmQ0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.fontbureau.comalic0%URL Reputationsafe
              http://www.fontbureau.comalic0%URL Reputationsafe
              http://www.fontbureau.comalic0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.carterandcone.comitk.0%Avira URL Cloudsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.founder.com.cn/cn(0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              whatismyipaddress.com
              		104.16.155.36
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://whatismyipaddress.com/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                    		high
                    http://www.carterandcone.com.12PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersGPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cnBmPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/?PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bThePO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comItafPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://foo.com/fooTWindowsUpdate.exe, 00000008.00000002.308158001.000000001CC12000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312377035.000000001CCB1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers?PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                            		high
                            http://www.carterandcone.comeciPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designersBPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.228030667.000000001F12D000.00000004.00000001.sdmpfalse
                              		high
                              http://www.tiro.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://whatismyipaddress.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.comcecoPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designersPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmp, PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.228030667.000000001F12D000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223535347.000000001F138000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://en.wPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222007881.000000001F12D000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comypoPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223629764.000000001F138000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comlPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cThePO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.monotype.PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.227248438.000000001F12F000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnxmQPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://whatismyipaddress.com/-PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/DPleasePO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.ascendercorp.com/typedesigners.htmlPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.224519756.000000001F137000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://login.yahoo.com/config/loginWindowsUpdate.exefalse
                                            		high
                                            http://www.fonts.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comalicPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317281962.000000001F120000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deDPleasePO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.nirsoft.net/WindowsUpdate.exe, 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.zhongyicts.com.cnPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comitk.PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.223535347.000000001F138000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.sakkal.comPO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000002.317453803.000000001F290000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cn(PO 2010029_pdf Quotation from Alibaba Ale.exe, 00000000.00000003.222855521.000000001F152000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                104.16.155.36
                                                		unknownUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                Private

                                                IP
                                                192.168.2.1
                                                127.0.0.1

                                                General Information

                                                Joe Sandbox Version:31.0.0 Red Diamond
                                                Analysis ID:341532
                                                Start date:19.01.2021
                                                Start time:14:06:23
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 13m 40s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:34
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.phis.troj.spyw.evad.winEXE@10/13@1/3
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 11.7% (good quality ratio 10.9%)
                                                • Quality average: 77.3%
                                                • Quality standard deviation: 30%
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, UsoClient.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, HxTsr.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.139.144, 2.18.68.82, 51.11.168.160, 2.20.142.210, 2.20.142.209, 51.103.5.186, 92.122.213.201, 92.122.213.247, 20.54.26.129, 40.88.32.150, 168.61.161.212, 51.104.144.132, 51.104.139.180, 52.254.96.93, 52.251.11.100
                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, bn2eap.displaycatalog.md.mp.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                14:08:16API Interceptor6x Sleep call for process: PO 2010029_pdf Quotation from Alibaba Ale.exe modified
                                                14:08:20API Interceptor1x Sleep call for process: dw20.exe modified
                                                14:08:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                14:08:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                14:08:48API Interceptor1x Sleep call for process: WerFault.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                104.16.155.36PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                hkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                INQUIRY.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                Prueba de pago.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                6JLHKYvboo.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                jSMd8npgmU.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                9vdouqRTh3.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                fyxC4Hgs3s.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                yk94P18VKp.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                oLHQIQAI3N.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                WuGzF7ZJ7P.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                NXmokFkh3R.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                qiGQsdRM57.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                NSSPH41vE5.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                whatismyipaddress.comPO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                hkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                B6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                JkhR5oeRHA.exeGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                INQUIRY.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                Prueba de pago.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                879mgDuqEE.jarGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                remittance1111.jarGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                879mgDuqEE.jarGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                remittance1111.jarGet hashmaliciousBrowse
                                                • 66.171.248.178
                                                https://my-alliances.co.uk/Get hashmaliciousBrowse
                                                • 66.171.248.178
                                                c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                6JLHKYvboo.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                jSMd8npgmU.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                khJdbt0clZ.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                ZMOKwXqVHO.exeGet hashmaliciousBrowse
                                                • 104.16.154.36

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                CLOUDFLARENETUSJanuary RFQ..exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                SKM_C221200706052800n.exeGet hashmaliciousBrowse
                                                • 66.235.200.146
                                                KuPBIsrqbO.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                RrZ6BOnPCG.exeGet hashmaliciousBrowse
                                                • 104.21.27.226
                                                Fdj5vhj87S.exeGet hashmaliciousBrowse
                                                • 104.16.186.173
                                                INV0009876.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                00000000987772021.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                _MVSEASEAL_RFQ_.xlsxGet hashmaliciousBrowse
                                                • 104.16.186.173
                                                Invoice Payment Details.exeGet hashmaliciousBrowse
                                                • 66.235.200.147
                                                invoice68684881.xlsGet hashmaliciousBrowse
                                                • 162.159.134.233
                                                invoice68684881.xlsGet hashmaliciousBrowse
                                                • 162.159.135.233
                                                RFQ_FOR_PO.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                1_cr.exeGet hashmaliciousBrowse
                                                • 172.67.219.133
                                                PaySlip140121.xlsGet hashmaliciousBrowse
                                                • 162.159.135.233
                                                RFQ (2).exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                1_cr.exeGet hashmaliciousBrowse
                                                • 104.21.45.223
                                                PaySlip140121.xlsGet hashmaliciousBrowse
                                                • 104.22.1.232
                                                TT Slip.docGet hashmaliciousBrowse
                                                • 162.159.133.233
                                                n#U00b0761.xlsGet hashmaliciousBrowse
                                                • 162.159.133.233
                                                Shipment ConfirmationPaper - Customer Copy_pdf.exeGet hashmaliciousBrowse
                                                • 172.67.219.133

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_I3UYUDMLOPVYGRAZ_7057fda4f89bb183663b41fd976febdf70a304b_00000000_124dc6e0\Report.wer
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):18018
                                                Entropy (8bit):3.7671072989618524
                                                Encrypted:false
                                                SSDEEP:192:7VE5vnFWMhV203jZIhy9UcJN5X5Q17zvMvkvDKGwNYeh/u7sfS274It0z:RInFNljzqv3vOh/u7sfX4ItI
                                                MD5:5A930DC669FC64A68231E3F0739BF7A2
                                                SHA1:2ADA755AAC4C1AAE4C6154EA8E503A5F1CAF49A5
                                                SHA-256:7CC51741A64901D2FB0BFAC502C42FAD2F109FE005831BACB958E6663483437F
                                                SHA-512:63D374183C0D9F0A68EF7E46ED2D0DD7654C1B014719C3EDF176DB3CA069DD41BB4559A3C5F78A90C84E6113674D8D43C8CB034BC6E4AAEAC333588A9AF3D81D
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.5.6.7.6.9.7.8.2.0.1.6.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.5.5.6.7.6.9.8.2.1.0.7.9.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.4.d.f.8.f.d.-.5.6.f.9.-.4.a.c.c.-.b.0.3.f.-.6.e.1.7.2.3.3.4.6.6.3.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.6.4.-.0.0.0.1.-.0.0.1.7.-.a.1.1.e.-.0.1.9.3.a.f.e.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.c.5.e.b.d.5.8.d.1.9.3.3.b.e.2.9.b.8.8.7.2.0.2.0.b.9.e.c.0.5.8.0.0.0.0.f.f.f.f.!.0.0.0.0.2.2.d.5.f.b.0.f.0.7.6.a.0.d.9.4.5.5.9.6.b.7.9.3.8.e.7.2.b.6.b.5.c.a.e.7.3.6.7.4.!.P.O. .2.0.1.0.0.2.9._.p.d.f. . . . .Q.u.o.t.a.t.i.o.n. . .f.r.o.m. .A.l.i.b.a.b.a. .A.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.1././.1.8.:.2.0.:.2.8.:.2.0.!.0.!.P.O. .2.0.1.0.0.2.9._.p.d.f. . . . .Q.u.o.t.a.t.i.o.
                                                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_PO 2010029_pdf _72613674f79bb87c1b11e7d393fe053666d79f1_6467c67c_1726352a\Report.wer
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):19162
                                                Entropy (8bit):3.773653319477634
                                                Encrypted:false
                                                SSDEEP:192:d3q5vWeHBUZMXj03jZIhy9UcJN5X5Q17zvMvkvDKGwNYeSTs/u7sES274ItihBG:opBUZMX4jzqv3vOS4/u7sEX4ItEG
                                                MD5:794BD95DB4ACDF7A0AB11BA3AB6CA638
                                                SHA1:081C01144CD21C704C0B0138BC64D81AE3B70B64
                                                SHA-256:4F64768EAF8E951A12B5269ECC5F3D26D228131F504700375153376BB14C3571
                                                SHA-512:13F3123264DCA07F3DB79D69408444CD823287AF8CA1EF6E0C72AFCF4391B951C462491E21FEAB3C48747BA92B2DE11BF89EEE1977F09A6E9F20BF4A9B910AA9
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.5.6.7.7.0.3.7.4.2.0.2.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.5.5.6.7.7.0.9.7.4.2.0.1.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.6.c.c.a.1.2.4.-.a.5.b.c.-.4.e.3.9.-.b.c.e.f.-.4.a.f.5.5.e.0.8.7.f.7.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.d.9.9.5.c.c.-.5.c.7.5.-.4.c.6.9.-.9.3.6.0.-.7.4.6.b.6.9.5.4.3.b.6.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.O. .2.0.1.0.0.2.9._.p.d.f. . . . .Q.u.o.t.a.t.i.o.n. . .f.r.o.m. .A.l.i.b.a.b.a. .A.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.6.4.-.0.0.0.1.-.0.0.1.7.-.a.1.1.e.-.0.1.9.3.a.f.e.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.c.5.e.b.d.5.8.d.1.9.3.3.b.e.2.9.b.8.8.7.2.0.2.0.b.9.e.c.0.5.8.0.0.0.0.f.f.f.f.!.0.0.0.0.2.2.d.5.f.b.0.f.0.7.6.a.0.d.9.4.5.5.9.6.b.7.9.3.8.e.7.2.
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB95.tmp.WERInternalMetadata.xml
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):7786
                                                Entropy (8bit):3.712017053076674
                                                Encrypted:false
                                                SSDEEP:192:Rrl7r3GLNihCx6yo6YSBmSUDMvgmfZ4OQSkCp1Lng1f45m:RrlsNiy6yo6YlSUDMvgmfGOQSNLnqfr
                                                MD5:84CEF630CF0681BFAFF5795DCD1DD9BF
                                                SHA1:20DAFD24F4C7DAF6F9E08DFB388E77B66F11C49B
                                                SHA-256:343A0751D0B019585B5A655031941A406CBF403CDDF33498853B1536B7B287D9
                                                SHA-512:15273848255FFACC787D724ADD047C34B1B0BEFE0BB86983E397E0B8E26676BD54046D8D8A5516D3ADC1195D4B528BBDD0A93D8FB7A18A182567A730E36F3149
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.4.8.<./.P.i.d.>.......
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC61.tmp.xml
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4727
                                                Entropy (8bit):4.5249078201260895
                                                Encrypted:false
                                                SSDEEP:48:cvIwSD8zsiJgtWI99NeyWSC8B58/8fm8M4JFKnEFK+q8vIMpyzpz43d:uITfwaQTSNX8kJFKvK7pMBGd
                                                MD5:A77D974765EA039F1262BFEFC930DDD0
                                                SHA1:BD9A0C9A7E2125EC668643A67C1DE5AB7053BEE9
                                                SHA-256:EBE9C543D0C54888E69F73621631DF24BCF7996158CC4F69805CB448B11CF2EF
                                                SHA-512:3BCC218C23C2DC2E44752FA14AC1FA69DB851ABD518D3A3D0AE43FFB3B4563C39273E7FC4C473ECB3DC85CA505A18F61F7489744E541C6AE8D513ECF9BB6F5C0
                                                Malicious:false
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="824118" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD288.tmp.mdmp
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Tue Jan 19 22:08:25 2021, 0x60521 type
                                                Category:dropped
                                                Size (bytes):6933739
                                                Entropy (8bit):4.734653460543801
                                                Encrypted:false
                                                SSDEEP:98304:QaMVHrkZq8y7Lb1XaMynrEh+9Hqt+G/haJIy0c83ruYGvkKPTIs:fMVQZN8EnrEh+9HxIqRkKUs
                                                MD5:0FFA20CF1EEC67FD898D3AC64D6C7231
                                                SHA1:8C3CF535A2A1CB827A54C03E639186B21075957A
                                                SHA-256:1646FD0EA566759E195DE0B910D4C301D02FD7D8B9BDE02629FA575AA885DD11
                                                SHA-512:95EE59C890A3C14B7A3DE35A984495ACEB0D859BB7F63BF5860D9CD5382A3BE7787056C79BBA6D2DDF29B77E559248C36006829E4FEBEDB46ABFEE45B64F7551
                                                Malicious:false
                                                Reputation:low
                                                Preview: MDMP....... .......YX.`!..................U...........B.......7......GenuineIntelW...........T.......d...JX.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0D1.tmp.WERInternalMetadata.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8524
                                                Entropy (8bit):3.7080535077803924
                                                Encrypted:false
                                                SSDEEP:192:Rrl7r3GLNihCRl656YShSUvThRgmfVTSTCprs89bPnosftFm:RrlsNio656YUSUvThRgmfBSCPnbfu
                                                MD5:9FB20031D8273F271E0B02DC2888B81C
                                                SHA1:6C03A55C542379A201F850452865CD8F567A0890
                                                SHA-256:5B1B04CE45984D2003633B3BFD590A9331B4A5AC320A5503CD7CCA1AFFDE54F6
                                                SHA-512:4994B1FA03EDAB8B6DA865A1BB741A6E8868542289F737210B4797FC188CFE1D0BEC636E20296971C3526760BDB864350D35DD2047F15E360F1FB066B891596D
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.4.8.<./.P.i.d.>.......
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1CC.tmp.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4777
                                                Entropy (8bit):4.5195633541037825
                                                Encrypted:false
                                                SSDEEP:48:cvIwSD8zspJgtWI99NeyWSC8BB8fm8M4JwO5mEZFJV+q8GqUlpyzpz4Ed:uITf7aQTSNkJwktVJlpMBVd
                                                MD5:8EDDFB7B4C01B2217653133720FB0C3E
                                                SHA1:EE64A9AD9FA38CD71213C86424622FFAC7D57030
                                                SHA-256:684425CEB1CC7C1C95D447C778B60281477DD85DC2083EA402C13C61E74498B2
                                                SHA-512:40C7AA1A2B7B031FE823E3D4619D87F05A7B7B96981B46716DC113A194668A1B1212500D6C1FB5E087DAFBC0800517A53E017FF0B6BDD3BCF014A57F89A7E531
                                                Malicious:false
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="824119" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsUpdate.exe.log
                                                Process:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):916
                                                Entropy (8bit):5.282390836641403
                                                Encrypted:false
                                                SSDEEP:24:MLF20NaL3z2p29hJ5g522rW2xAi3AP26K95rKoO2+g2+:MwLLD2Y9h3go2rxxAcAO6ox+g2+
                                                MD5:5AD8E7ABEADADAC4CE06FF693476581A
                                                SHA1:81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E
                                                SHA-256:BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
                                                SHA-512:7793E78E84AD36CE65B5B1C015364E340FB9110FAF199BC0234108CE9BCB1AEDACBD25C6A012AC99740E08BEA5E5C373A88E553E47016304D8AE6AEEAB58EBFF
                                                Malicious:true
                                                Reputation:moderate, very likely benign file
                                                Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..
                                                C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                Category:dropped
                                                Size (bytes):2
                                                Entropy (8bit):1.0
                                                Encrypted:false
                                                SSDEEP:3:Qn:Qn
                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                Malicious:false
                                                Preview: ..
                                                C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                Process:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):1074688
                                                Entropy (8bit):7.570804768501044
                                                Encrypted:false
                                                SSDEEP:12288:f8WvAMYGY5RFNBeU7vgTOzcdCeddAAU8f9MkdPUBphp5wvvXLlweomEL+wif7APY:f8W4T17vgKzYXAm+DfuTXomAuzABdpu
                                                MD5:EB59D99961C7636B4872E389DA03CBC9
                                                SHA1:22D5FB0F076A0D945596B7938E72B6B5CAE73674
                                                SHA-256:4DD89AEA31CFB64C8FA6B542C9AD002E4041EF5249F2072947DF749E00E7FD9E
                                                SHA-512:6D062B65284DF0F4CE5845B8730AC6ADF46759AF5F35E3BDE86A609BCE9FF0D5846FBE2D30864E411B695D774B6F6903D558E42F067C44817E3421CD5D41B256
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 37%
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8...|..|..|.....v............n..._#......o....a.....n.....m..|.......}.....}....}..Rich|..........PE..L...d..`..........................................@..........................`............@..................................F.......... ....................0..<,...6..............................06..@...............`............................text...:........................... ..`.rdata..............................@..@.data...4....`.......B..............@....gfids..t............N..............@..@.rsrc... ............P..............@..@.reloc..<,...0......................@..B................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier
                                                Process:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview: [ZoneTransfer]....ZoneId=0
                                                C:\Users\user\AppData\Roaming\pid.txt
                                                Process:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):4
                                                Entropy (8bit):2.0
                                                Encrypted:false
                                                SSDEEP:3:Q:Q
                                                MD5:E21E4E58AD9AB56E8A4634046DA90113
                                                SHA1:D7C1F0DD609C0024D00C7EB35743BCC476459876
                                                SHA-256:2C6499976963E9832529BC8D9DFF516D16C13D372D852D1500F5892E46A25507
                                                SHA-512:0A18737EFF8DEE2E701D7F75B10A56E5610AC75D379E0D4D5528ADADE8D7367618FAFDFEB9F16B66C36DAF4A152D96DCFE9E0B5B47A4CEBB6FDAD6A19FDB9134
                                                Malicious:false
                                                Preview: 2148
                                                C:\Users\user\AppData\Roaming\pidloc.txt
                                                Process:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):72
                                                Entropy (8bit):4.792723397330207
                                                Encrypted:false
                                                SSDEEP:3:oNWXp5v1qOL/kiRMQFLTzxl0C:oNWXpFgOLHXLvxl0C
                                                MD5:C2645D3F71F5EA8326BA0B900632630D
                                                SHA1:0456DB88ECD2D46E89CDCFD159029FA44E10B928
                                                SHA-256:92283FB25F70604C5445F52AD17CFC2E7F206C63D5F737B8A81F12F1FC73BB19
                                                SHA-512:0DBE031016D3A882000116A853F4D8FC463AF466948781AE816349878577B4C67ADE9AA0F96D2B0C7E513C3D8536E0D46CD63B417F802E7E01CA064426823881
                                                Malicious:false
                                                Preview: C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.570804768501044
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                File size:1074688
                                                MD5:eb59d99961c7636b4872e389da03cbc9
                                                SHA1:22d5fb0f076a0d945596b7938e72b6b5cae73674
                                                SHA256:4dd89aea31cfb64c8fa6b542c9ad002e4041ef5249f2072947df749e00e7fd9e
                                                SHA512:6d062b65284df0f4ce5845b8730ac6adf46759af5f35e3bde86a609bce9ff0d5846fbe2d30864e411b695d774b6f6903d558e42f067c44817e3421cd5d41b256
                                                SSDEEP:12288:f8WvAMYGY5RFNBeU7vgTOzcdCeddAAU8f9MkdPUBphp5wvvXLlweomEL+wif7APY:f8W4T17vgKzYXAm+DfuTXomAuzABdpu
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8...|...|...|.......v...............n...._#.........o.......a.......n.......m...|...........}.......}.......}...Rich|..........

                                                File Icon

                                                Icon Hash:6eecccccd6d2f2f2

                                                Static PE Info

                                                General

                                                Entrypoint:0x401308
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x6005EF64 [Mon Jan 18 20:28:20 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:6
                                                OS Version Minor:0
                                                File Version Major:6
                                                File Version Minor:0
                                                Subsystem Version Major:6
                                                Subsystem Version Minor:0
                                                Import Hash:3f85ebb67bac58f72de974a91d40889a

                                                Entrypoint Preview

                                                Instruction
                                                call 00007FA3F8CD8798h
                                                jmp 00007FA3F8CD8255h
                                                push 00000014h
                                                push 00453B58h
                                                call 00007FA3F8CD8AE7h
                                                push 00000001h
                                                call 00007FA3F8CD8560h
                                                pop ecx
                                                test al, al
                                                jne 00007FA3F8CD8259h
                                                push 00000007h
                                                call 00007FA3F8CD8887h
                                                xor bl, bl
                                                mov byte ptr [ebp-19h], bl
                                                and dword ptr [ebp-04h], 00000000h
                                                call 00007FA3F8CD8449h
                                                mov byte ptr [ebp-24h], al
                                                mov eax, dword ptr [00456A80h]
                                                xor ecx, ecx
                                                inc ecx
                                                cmp eax, ecx
                                                je 00007FA3F8CD822Eh
                                                test eax, eax
                                                jne 00007FA3F8CD829Bh
                                                mov dword ptr [00456A80h], ecx
                                                push 0044B290h
                                                push 0044B270h
                                                call 00007FA3F8CF96BFh
                                                pop ecx
                                                pop ecx
                                                test eax, eax
                                                je 00007FA3F8CD8263h
                                                mov dword ptr [ebp-04h], FFFFFFFEh
                                                mov eax, 000000FFh
                                                jmp 00007FA3F8CD834Bh
                                                push 0044B26Ch
                                                push 0044B264h
                                                call 00007FA3F8CF963Dh
                                                pop ecx
                                                pop ecx
                                                mov dword ptr [00456A80h], 00000002h
                                                jmp 00007FA3F8CD8257h
                                                mov bl, cl
                                                mov byte ptr [ebp-19h], bl
                                                push dword ptr [ebp-24h]
                                                call 00007FA3F8CD8637h
                                                pop ecx
                                                call 00007FA3F8CD87FEh
                                                mov esi, eax
                                                xor edi, edi
                                                cmp dword ptr [esi], edi
                                                je 00007FA3F8CD826Ch
                                                push esi
                                                call 00007FA3F8CD8599h
                                                pop ecx
                                                test al, al
                                                je 00007FA3F8CD8261h
                                                push edi
                                                push 00000002h
                                                push edi
                                                mov esi, dword ptr [esi]
                                                mov ecx, esi
                                                call 00007FA3F8CD8A27h
                                                call esi

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x546dc0xb4.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x590000x19f20.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x730000x2c3c.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x536100x1c.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x536300x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x4b0000x260.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x4993a0x49a00False0.472009629669data6.6152740435IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rdata0x4b0000xa3aa0xa400False0.45107660061SysEx File - Mesosha5.23997613425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x560000x1f340xc00False0.171549479167DOS executable (block device driver \277DN)2.22955442271IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .gfids0x580000x1740x200False0.341796875data2.11448669888IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .rsrc0x590000x19f200x1a000False0.195575420673data4.62816449784IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x730000x2c3c0x2e00False0.783882472826data6.63145431335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x591c00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x5b7680x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x5c8100x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                RT_ICON0x5cc780x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x60ea00x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                RT_RCDATA0x717180x1805dataEnglishUnited States
                                                RT_GROUP_ICON0x716c80x4cdataEnglishUnited States

                                                Imports

                                                DLLImport
                                                KERNEL32.dllHeap32Next, LoadResource, FreeLibrary, GetLongPathNameA, CancelIo, BuildCommDCBAndTimeoutsA, ExitThread, GlobalFindAtomW, GetStdHandle, HeapAlloc, GetProcessHeap, SetConsoleCursorPosition, DecodePointer, EncodePointer, SetEndOfFile, WriteConsoleW, HeapReAlloc, HeapSize, GetTimeZoneInformation, SetConsoleMode, ReadConsoleInputW, ReadConsoleInputA, PeekConsoleInputA, GetNumberOfConsoleInputEvents, CreateFileW, SetConsoleCtrlHandler, GetStringTypeW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, IsValidCodePage, FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindClose, MoveFileExW, GetFileAttributesExW, CreateProcessW, CreateProcessA, GetExitCodeProcess, WaitForSingleObject, GetCurrentThread, DeleteFileW, CloseHandle, GetConsoleCP, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, InterlockedPushEntrySList, InterlockedFlushSList, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, ReadFile, QueryPerformanceFrequency, MultiByteToWideChar, WriteFile, GetModuleFileNameW, GetModuleFileNameA, WideCharToMultiByte, GetACP, HeapFree, SetFilePointerEx, GetConsoleMode, ReadConsoleW, GetFileType, OutputDebugStringA, OutputDebugStringW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, RaiseException
                                                SHELL32.dllDragQueryFile, Shell_NotifyIconA
                                                MSWSOCK.dllEnumProtocolsA, GetNameByTypeW, GetServiceA, getnetbyname
                                                mscms.dllEnumColorProfilesW, UnregisterCMMA, CreateProfileFromLogColorSpaceW, GetPS2ColorRenderingIntent, EnumColorProfilesA
                                                msi.dll
                                                WS2_32.dllgethostbyaddr, WSCInstallNameSpace, WSALookupServiceNextA, WSARemoveServiceClass
                                                ODBC32.dllVRetrieveDriverErrorsRowCol
                                                USER32.dllGetDC, GrayStringW

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                01/19/21-14:07:24.893873TCP1201ATTACK-RESPONSES 403 Forbidden8049709104.16.155.36192.168.2.3

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 19, 2021 14:07:24.803280115 CET4970980192.168.2.3104.16.155.36
                                                Jan 19, 2021 14:07:24.843286991 CET8049709104.16.155.36192.168.2.3
                                                Jan 19, 2021 14:07:24.843444109 CET4970980192.168.2.3104.16.155.36
                                                Jan 19, 2021 14:07:24.844419956 CET4970980192.168.2.3104.16.155.36
                                                Jan 19, 2021 14:07:24.884332895 CET8049709104.16.155.36192.168.2.3
                                                Jan 19, 2021 14:07:24.893872976 CET8049709104.16.155.36192.168.2.3
                                                Jan 19, 2021 14:07:24.944005013 CET4970980192.168.2.3104.16.155.36
                                                Jan 19, 2021 14:08:07.401418924 CET4970980192.168.2.3104.16.155.36

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 19, 2021 14:07:24.737133026 CET5062053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:24.784964085 CET53506208.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:27.024379015 CET6493853192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:27.080846071 CET53649388.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:29.446954966 CET6015253192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:29.503288984 CET53601528.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:38.352360964 CET5754453192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:38.406651974 CET5598453192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:38.416496992 CET53575448.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:38.465986013 CET53559848.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:41.692348957 CET6418553192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:41.777007103 CET53641858.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:46.849670887 CET6511053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:46.898314953 CET53651108.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:53.292752028 CET5836153192.168.2.38.8.8.8
                                                Jan 19, 2021 14:07:53.342840910 CET53583618.8.8.8192.168.2.3
                                                Jan 19, 2021 14:07:59.963716030 CET6349253192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:00.014316082 CET53634928.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:02.032809973 CET6083153192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:02.093347073 CET53608318.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:04.101022005 CET6010053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:04.151834011 CET53601008.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:11.430254936 CET5319553192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:11.486526012 CET53531958.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:11.658313990 CET5014153192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:11.719221115 CET53501418.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:12.349411964 CET5302353192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:12.397241116 CET53530238.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:13.509324074 CET4956353192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:13.557267904 CET53495638.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:19.087261915 CET5135253192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:19.135039091 CET53513528.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:20.055285931 CET5934953192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:20.111741066 CET53593498.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:21.066859961 CET5708453192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:21.114937067 CET53570848.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:27.746773005 CET5882353192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:27.794595957 CET53588238.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:31.018626928 CET5756853192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:31.066662073 CET53575688.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:33.980485916 CET5054053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:34.031049013 CET53505408.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:37.069364071 CET5436653192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:37.125648975 CET53543668.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:42.337563992 CET5303453192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:42.385427952 CET53530348.8.8.8192.168.2.3
                                                Jan 19, 2021 14:08:42.811871052 CET5776253192.168.2.38.8.8.8
                                                Jan 19, 2021 14:08:42.859744072 CET53577628.8.8.8192.168.2.3
                                                Jan 19, 2021 14:09:08.177627087 CET5543553192.168.2.38.8.8.8
                                                Jan 19, 2021 14:09:08.225469112 CET53554358.8.8.8192.168.2.3
                                                Jan 19, 2021 14:09:09.648237944 CET5071353192.168.2.38.8.8.8
                                                Jan 19, 2021 14:09:09.699141026 CET53507138.8.8.8192.168.2.3
                                                Jan 19, 2021 14:09:41.623981953 CET5613253192.168.2.38.8.8.8
                                                Jan 19, 2021 14:09:41.674923897 CET53561328.8.8.8192.168.2.3
                                                Jan 19, 2021 14:09:59.172621965 CET5898753192.168.2.38.8.8.8
                                                Jan 19, 2021 14:09:59.220423937 CET53589878.8.8.8192.168.2.3
                                                Jan 19, 2021 14:09:59.894496918 CET5657953192.168.2.38.8.8.8
                                                Jan 19, 2021 14:09:59.951042891 CET53565798.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:03.218694925 CET6063353192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:03.275172949 CET53606338.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:03.438195944 CET6129253192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:03.494326115 CET53612928.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:04.525226116 CET6361953192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:04.587599993 CET53636198.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:05.257047892 CET6493853192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:05.313369989 CET53649388.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:05.526376009 CET6194653192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:05.585340977 CET53619468.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:06.657068968 CET6491053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:06.705086946 CET53649108.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:07.892919064 CET5212353192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:07.952100992 CET53521238.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:09.728214979 CET5613053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:10.763556004 CET5613053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:11.809860945 CET5613053192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:11.873954058 CET53561308.8.8.8192.168.2.3
                                                Jan 19, 2021 14:10:13.257555962 CET5633853192.168.2.38.8.8.8
                                                Jan 19, 2021 14:10:13.315814018 CET53563388.8.8.8192.168.2.3

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Jan 19, 2021 14:07:24.737133026 CET192.168.2.38.8.8.80x8b8dStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Jan 19, 2021 14:07:24.784964085 CET8.8.8.8192.168.2.30x8b8dNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                Jan 19, 2021 14:07:24.784964085 CET8.8.8.8192.168.2.30x8b8dNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • whatismyipaddress.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.349709104.16.155.3680C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                TimestampkBytes transferredDirectionData
                                                Jan 19, 2021 14:07:24.844419956 CET0OUTGET / HTTP/1.1
                                                Host: whatismyipaddress.com
                                                Connection: Keep-Alive
                                                Jan 19, 2021 14:07:24.893872976 CET1INHTTP/1.1 403 Forbidden
                                                Date: Tue, 19 Jan 2021 13:07:24 GMT
                                                Content-Type: text/plain; charset=UTF-8
                                                Content-Length: 16
                                                Connection: keep-alive
                                                X-Frame-Options: SAMEORIGIN
                                                Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                Set-Cookie: __cfduid=dc5c380c1a5d92fcf9cb84a16088ebe551611061644; expires=Thu, 18-Feb-21 13:07:24 GMT; path=/; domain=.whatismyipaddress.com; HttpOnly; SameSite=Lax; Secure
                                                cf-request-id: 07bc5ae64d0000d711d12b6000000001
                                                Server: cloudflare
                                                CF-RAY: 6140c7507a92d711-FRA
                                                Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                Data Ascii: error code: 1020


                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: PO 2010029_pdf Quotation from Alibaba Ale.exe PID: 2148 Parent PID: 5704

                                                General

                                                Start time:14:08:10
                                                Start date:19/01/2021
                                                Path:C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\PO 2010029_pdf Quotation from Alibaba Ale.exe'
                                                Imagebase:0xad0000
                                                File size:1074688 bytes
                                                MD5 hash:EB59D99961C7636B4872E389DA03CBC9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.316835361.000000001DCF1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.301261564.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.317001771.000000001EEAE000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.317140638.000000001EFE2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.317057911.000000001EF40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.311897650.000000001C6F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.313417162.000000001CCF1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Analysis Process: dw20.exe PID: 4636 Parent PID: 2148

                                                General

                                                Start time:14:08:17
                                                Start date:19/01/2021
                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                Wow64 process (32bit):true
                                                Commandline:dw20.exe -x -s 2216
                                                Imagebase:0x7ff6741d0000
                                                File size:33936 bytes
                                                MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: vbc.exe PID: 6084 Parent PID: 2148

                                                General

                                                Start time:14:08:20
                                                Start date:19/01/2021
                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                Imagebase:0x400000
                                                File size:1171592 bytes
                                                MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.240465103.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                Reputation:high

                                                Analysis Process: vbc.exe PID: 968 Parent PID: 2148

                                                General

                                                Start time:14:08:20
                                                Start date:19/01/2021
                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                Imagebase:0x400000
                                                File size:1171592 bytes
                                                MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000003.00000002.245754614.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                Reputation:high

                                                Analysis Process: WerFault.exe PID: 6004 Parent PID: 2148

                                                General

                                                Start time:14:08:22
                                                Start date:19/01/2021
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 2244
                                                Imagebase:0xe50000
                                                File size:434592 bytes
                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:high

                                                Analysis Process: WindowsUpdate.exe PID: 4848 Parent PID: 3388

                                                General

                                                Start time:14:08:30
                                                Start date:19/01/2021
                                                Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                                                Imagebase:0xed0000
                                                File size:1074688 bytes
                                                MD5 hash:EB59D99961C7636B4872E389DA03CBC9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000008.00000002.308445225.000000001EE00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000008.00000002.305904316.000000001C5F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000008.00000002.308219748.000000001DBD1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000008.00000002.300925836.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000008.00000002.305233571.000000001AD92000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 37%, ReversingLabs
                                                Reputation:low

                                                Analysis Process: WindowsUpdate.exe PID: 6328 Parent PID: 3388

                                                General

                                                Start time:14:08:39
                                                Start date:19/01/2021
                                                Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                                                Imagebase:0xed0000
                                                File size:1074688 bytes
                                                MD5 hash:EB59D99961C7636B4872E389DA03CBC9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.312787394.000000001EE40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.312583133.000000001DCB1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.301969493.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.312957269.000000001EED2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.309857450.000000001C5F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Disassembly

                                                Code Analysis

                                                Reset < >