Analysis Report BANK-STATMENT _xlsx.exe

Overview

General Information

Sample Name: BANK-STATMENT _xlsx.exe
Analysis ID: 320625
MD5: debe564cd4c27c02d23c828df27fe27f
SHA1: 1b55fba242460cc0a5b38299acaaacf3f54c5e87
SHA256: edafe7e62738e180cb882d93f37d2d306627aef482d6f7a7a06c69198c61cd58
Tags: exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: vbc.exe.6920.6.memstr Malware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv"], "Version": ""}
Multi AV Scanner detection for submitted file
Source: BANK-STATMENT _xlsx.exe Virustotal: Detection: 40% Perma Link
Source: BANK-STATMENT _xlsx.exe ReversingLabs: Detection: 41%
Machine Learning detection for sample
Source: BANK-STATMENT _xlsx.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack Avira: Label: SPR/Tool.MailPassView.473

Spreading:

barindex
May infect USB drives
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: BANK-STATMENT _xlsx.exe Binary or memory string: [autorun]
Source: BANK-STATMENT _xlsx.exe Binary or memory string: autorun.inf
Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00408900 FindFirstFileA,GetLastError, 0_2_00408900
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405AC0
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00408900 FindFirstFileA,GetLastError, 2_2_00408900
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 2_2_00405AC0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 6_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 7_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 7_2_00407E0E

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49746 -> 166.62.27.57:587
May check the online IP address of the machine
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49746 -> 166.62.27.57:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.154.36 104.16.154.36
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49746 -> 166.62.27.57:587
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: BANK-STATMENT _xlsx.exe, vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000007.00000003.704761625.000000000095E000.00000004.00000001.sdmp, vbc.exe, 0000001A.00000003.837983424.00000000009CE000.00000004.00000001.sdmp String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
Source: vbc.exe, 00000007.00000003.704761625.000000000095E000.00000004.00000001.sdmp, vbc.exe, 0000001A.00000003.837983424.00000000009CE000.00000004.00000001.sdmp String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: 201.75.14.0.in-addr.arpa
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmp String found in binary or memory: http://go.microsoft.
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmp String found in binary or memory: http://go.microsoft.LinkId=42127
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmp String found in binary or memory: http://static-global-s-msn-com.ak
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: BANK-STATMENT _xlsx.exe, BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.comx&
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670079069.0000000005123000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671131128.0000000005127000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com#
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671889636.00000000050FB000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comTC
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670925242.00000000050FC000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comc
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comg
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comsig
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670800155.0000000005106000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comz
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773005820.0000000005100000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com)
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.675887823.000000000512B000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.675857787.000000000512A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676434970.0000000005128000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersS
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676177368.0000000005121000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersd
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.682397058.0000000005121000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersno
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.674765089.0000000005121000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designerst
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.675782658.00000000050FF000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalic
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcom
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcomF
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773005820.0000000005100000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.come
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.675782658.00000000050FF000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comoitu
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comueed
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.669103284.0000000005122000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669521206.0000000005105000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.668963519.000000000510A000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn7
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn8
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnD
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnZ
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669404161.0000000005123000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnd
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.668963519.000000000510A000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnrb
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.678233333.00000000050FF000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.678233333.00000000050FF000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/S
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/7
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/://w7
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/E
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/N
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Norm
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0nt
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0s
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/alny
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/font
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/j
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/N
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/typo
Source: vbc.exe, 0000001A.00000002.838373686.0000000000758000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpEM3LMEM
Source: vbc.exe, 0000001A.00000002.838373686.0000000000758000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpHLMEMh
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670925242.00000000050FC000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comic
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmp String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmp String found in binary or memory: https://contextual.media.net/
Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSyn
Source: BANK-STATMENT _xlsx.exe, vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmp String found in binary or memory: https://ogs.google.com/widget/callout?prid=190203
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803423064.0000000002ED4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com/
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.803423064.0000000002ED4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.comx&
Source: vbc.exe, 00000007.00000003.704761625.000000000095E000.00000004.00000001.sdmp, vbc.exe, 0000001A.00000003.837983424.00000000009CE000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
Source: vbc.exe, 0000001A.00000002.838373686.0000000000758000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/?gws_rd=sslvbLMEMh
Source: BANK-STATMENT _xlsx.exe, vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/favicon.ico
Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.803619602.0000000002F08000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.915989570.0000000003038000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.885749429.0000000002F48000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.932871258.0000000002F3A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs .Net Code: HookKeyboard
Installs a global keyboard hook
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0040702E OpenClipboard, 0_2_0040702E
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00422A48 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 0_2_00422A48
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_0042308C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 2_2_0042308C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00458744 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA, 0_2_00458744
Creates a DirectInput object (often for capturing keystrokes)
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.665944784.00000000006FA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Window created: window name: CLIPBRDWNDCLASS
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00454818 NtdllDefWindowProc_A, 0_2_00454818
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00454F94 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00454F94
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00455044 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00455044
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00449408 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_00449408
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0042D6D0 NtdllDefWindowProc_A, 0_2_0042D6D0
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_004397C4 NtdllDefWindowProc_A,GetCapture, 0_2_004397C4
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_00490159 NtCreateSection, 1_2_00490159
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00454818 NtdllDefWindowProc_A, 2_2_00454818
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00454F94 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 2_2_00454F94
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00455044 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 2_2_00455044
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00449408 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 2_2_00449408
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_0042D6D0 NtdllDefWindowProc_A, 2_2_0042D6D0
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_004397C4 NtdllDefWindowProc_A,GetCapture, 2_2_004397C4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 7_2_00408836
Detected potential crypto function
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0044EEEC 0_2_0044EEEC
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00449408 0_2_00449408
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0040D426 1_2_0040D426
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0040D523 1_2_0040D523
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0041D5AE 1_2_0041D5AE
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_00417646 1_2_00417646
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0040D6C4 1_2_0040D6C4
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_004429BE 1_2_004429BE
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_00446AF4 1_2_00446AF4
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0046ABFC 1_2_0046ABFC
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_00463C4D 1_2_00463C4D
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_00463CBE 1_2_00463CBE
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0040ED03 1_2_0040ED03
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_00463D2F 1_2_00463D2F
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_00463DC0 1_2_00463DC0
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0040CF92 1_2_0040CF92
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0041AFA6 1_2_0041AFA6
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0048F13D 1_2_0048F13D
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_00489976 1_2_00489976
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_004F9017 1_2_004F9017
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_004F90A8 1_2_004F90A8
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_004A227A 1_2_004A227A
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_004B028E 1_2_004B028E
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0043C7BC 1_2_0043C7BC
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_0044EEEC 2_2_0044EEEC
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00449408 2_2_00449408
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404DDB 6_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040BD8A 6_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404E4C 6_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404EBD 6_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404F4E 6_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404419 7_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404516 7_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00413538 7_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004145A1 7_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0040E639 7_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004337AF 7_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004399B1 7_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0043DAE7 7_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00405CF6 7_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00403F85 7_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00411F99 7_2_00411F99
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: String function: 004035B4 appears 62 times
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: String function: 0044BA9D appears 36 times
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: String function: 0040C224 appears 36 times
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: String function: 004066B8 appears 32 times
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: String function: 00403980 appears 74 times
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: String function: 00404344 appears 36 times
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: String function: 00404320 appears 154 times
One or more processes crash
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
PE file contains strange resources
Source: BANK-STATMENT _xlsx.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.665995495.00000000023A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe Binary or memory string: OriginalFilename vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe Binary or memory string: OriginalFileName vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.767713264.0000000002432000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788122211.0000000002340000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799067734.00000000022D2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000010.00000002.812025899.0000000002260000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870211427.0000000002822000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.869457392.00000000022B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.884712791.0000000002AC1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882472409.0000000000482000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882825216.00000000007A2000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 0000001F.00000002.892381950.0000000002270000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903544550.00000000026C2000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.902870919.0000000002340000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp Binary or memory string: w: %Scannot create INSTEAD OF trigger on table: %SINSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')type='trigger' AND name='%q'no such trigger: %Sno such column: %srows updated_rowid_cannot VACUUM from within a transactioncannot VACUUM - SQL statements in progressATTACH ':memory:' AS vacuum_db;ATTACH '' AS vacuum_db;PRAGMA vacuum_db.synchronous=OFFBEGIN EXCLUSIVE;SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)CREATE VIRTUAL TABLE %TUPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%dname='%q' AND type='table'vtable constructor failed: %svtable constructor did not declare schema: %shidden hiddenno such module: %sNOCASEauto-indextable %s: xBestIndex returned an invalid planat most %d tables in a joincannot use index: %sparser stack overflowset listnear "%T": syntax errortoo many arguments on function %Tqualified table names are not allowed on INSERT, UPDATE, and DELETE statements within triggersthe INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggersthe NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggersinterruptunrecognized token: "%T"temp2011-01-28 17:03:50 ed759d5a9edb3bba5f48f243df47be29e3fe8cd7unable to close due to unfinalised statementsunable to close due to unfinished backup operationunknown errorunable to delete/modify user-function due to active statementsunknown database: %sunable to delete/modify collation sequence due to active statementsno such vfs: %sRTRIMmaindatabase corruption at line %d of [%.10s]misuse at line %d of [%.10s]cannot open file at line %d of [%.10s]\sqlite3.dll\mozsqlite3.dll\nss3.dllsqlite3_opensqlite3_preparesqlite3_stepsqlite3_column_textsqlite3_column_intsqlite3_column_int64sqlite3_finalizesqlite3_closesqlite3_exec\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNamelog profile.saveSIsignInvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultFreeVaultGetInformationVaultG
Source: BANK-STATMENT _xlsx.exe, 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912185796.0000000000760000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs BANK-STATMENT _xlsx.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Yara signature match
Source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@53/29@20/4
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00420114 GetLastError,FormatMessageA, 0_2_00420114
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00408ACA GetDiskFreeSpaceA, 0_2_00408ACA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle, 7_2_00411196
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_004168F4 FindResourceA,LoadResource,SizeofResource,LockResource, 0_2_004168F4
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File created: C:\Users\user\AppData\Roaming\pid.txt Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER65F6.tmp Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: BANK-STATMENT _xlsx.exe Virustotal: Detection: 40%
Source: BANK-STATMENT _xlsx.exe ReversingLabs: Detection: 41%
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File read: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe'
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe'
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4500 5715437
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4240 5772140
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 1548 5785125
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2288
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 6180 5810484
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 5580 5822718
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: unknown Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 2864 5836578
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4500 5715437 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4240 5772140 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 1548 5785125
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2288
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 6180 5810484
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 5580 5822718
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 2864 5836578
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbV source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.806097073.00000000061F0000.00000004.00000001.sdmp
Source: Binary string: Z[zTs5.pdb6 source: BANK-STATMENT _xlsx.exe, 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp
Source: Binary string: mscorlib.pdbs\Desktop\BANK-STATMENT _xlsx.exe6 source: BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.798860254.000000000097E000.00000004.00000020.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbD source: BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.774857470.0000000006760000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
Source: Binary string: .pdb* source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbd source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912269653.00000000007FB000.00000004.00000020.sdmp
Source: Binary string: rlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbh source: BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbg source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp
Source: Binary string: 1hoC:\Windows\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbc source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.798860254.000000000097E000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882931760.0000000000847000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbV source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912269653.00000000007FB000.00000004.00000020.sdmp
Source: Binary string: tsymbols\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdbENT _xlsx.exe source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbk source: BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: BANK-STATMENT _xlsx.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884712791.0000000002AC1000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.774885507.0000000006775000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806123008.00000000061FE000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000019.00000002.833212497.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbsea source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882902656.000000000081C000.00000004.00000020.sdmp
Source: Binary string: mscorlib.pdbH source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Unpacked PE file: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
.NET source code contains potential unpacker
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_004405C4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_004405C4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00440BF4 push 00440C81h; ret 0_2_00440C79
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00426050 push 0042607Ch; ret 0_2_00426074
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0041A058 push ecx; mov dword ptr [esp], edx 0_2_0041A05A
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_004100E4 push 00410145h; ret 0_2_0041013D
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0042C0F4 push 0042C120h; ret 0_2_0042C118
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0042C084 push 0042C0B0h; ret 0_2_0042C0A8
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0040C0AE push 0040C0DCh; ret 0_2_0040C0D4
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0040C0B0 push 0040C0DCh; ret 0_2_0040C0D4
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0042C0BC push 0042C0E8h; ret 0_2_0042C0E0
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00410148 push 00410349h; ret 0_2_00410341
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0042614C push 00426178h; ret 0_2_00426170
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0042C164 push 0042C190h; ret 0_2_0042C188
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00442120 push 0044214Ch; ret 0_2_00442144
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0042C12C push 0042C158h; ret 0_2_0042C150
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_004301C4 push 0043022Eh; ret 0_2_00430226
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0042C1D4 push 0042C200h; ret 0_2_0042C1F8
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_004661E4 push ecx; mov dword ptr [esp], ecx 0_2_004661E9
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0042C19C push 0042C1C8h; ret 0_2_0042C1C0
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00430230 push 0043029Ah; ret 0_2_00430292
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00464314 push 00464340h; ret 0_2_00464338
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00410458 push 00410488h; ret 0_2_00410480
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0041045C push 00410488h; ret 0_2_00410480
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00406576 push 004065C9h; ret 0_2_004065C1
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00406578 push 004065C9h; ret 0_2_004065C1
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0042E6E8 push 0042E714h; ret 0_2_0042E70C
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0046A6F4 push 0046A720h; ret 0_2_0046A718
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_004166FC push ecx; mov dword ptr [esp], edx 0_2_004166FE
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_004366B4 push ecx; mov dword ptr [esp], ecx 0_2_004366B8
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_004606BC push 004606E8h; ret 0_2_004606E0
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00406748 push 00406774h; ret 0_2_0040676C
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0042E73C push 0042E768h; ret 0_2_0042E760

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_004548A0 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 0_2_004548A0
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0043C024 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 0_2_0043C024
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00426384 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00426384
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0043AE98 IsIconic,GetCapture, 0_2_0043AE98
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00454F94 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00454F94
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00455044 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00455044
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0043B740 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 0_2_0043B740
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00451994 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 0_2_00451994
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_004548A0 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 2_2_004548A0
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_0043C024 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 2_2_0043C024
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00426384 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_00426384
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_0043AE98 IsIconic,GetCapture, 2_2_0043AE98
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00454F94 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 2_2_00454F94
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00455044 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 2_2_00455044
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_0043B740 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 2_2_0043B740
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00451994 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 2_2_00451994
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_004405C4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_004405C4
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Stores large binary data to the registry
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00430110 0_2_00430110
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00430110 2_2_00430110
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File opened / queried: C:\Windows\system32\drivers\VBoxMouse.sys
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File opened / queried: C:\Windows\system32\drivers\vmmouse.sys
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File opened / queried: C:\Windows\system32\drivers\VBoxGuest.sys
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe File opened / queried: C:\Windows\system32\drivers\vmhgfs.sys
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 7_2_00408836
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_00453E74
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 2_2_00453E74
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 180000
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Thread delayed: delay time: 922337203685477
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00430110 2_2_00430110
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4780 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4864 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5780 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6916 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6840 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -99859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -99750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -99453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -99359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -99109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -98906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -98797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -98656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -98547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -98453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -98359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -98250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -98109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -98000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -97906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -97797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -97703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -97609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -97453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -97359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -97250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -97156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116 Thread sleep time: -97047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 1808 Thread sleep count: 273 > 30 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5768 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5380 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5392 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5532 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 864 Thread sleep count: 48 > 30
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6600 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6660 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5984 Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6112 Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 7048 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -99750s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -99640s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -99343s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -99250s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -99093s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -98797s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -98687s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676 Thread sleep time: -98547s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6244 Thread sleep count: 90 > 30
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6848 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5628 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5468 Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5564 Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5732 Thread sleep count: 48 > 30
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5948 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6864 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6960 Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6148 Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5544 Thread sleep count: 48 > 30
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5840 Thread sleep time: -922337203685477s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File opened: PhysicalDrive0 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0046A9D0 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 0046A9EBh 0_2_0046A9D0
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_0046A9D0 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 0046A9EBh 2_2_0046A9D0
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00408900 FindFirstFileA,GetLastError, 0_2_00408900
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405AC0
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00408900 FindFirstFileA,GetLastError, 2_2_00408900
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 2_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 2_2_00405AC0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 6_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 7_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 7_2_00407E0E
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_004206A4 GetSystemInfo, 0_2_004206A4
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllVV2
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.798729439.00000000008DA000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugFlags
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugFlags
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugPort
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugFlags
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugFlags
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugPort
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugPort
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugFlags
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugFlags
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugPort
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugPort
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugFlags
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugFlags
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugFlags
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process queried: DebugObjectHandle
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0048B6F3
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 7_2_00408836
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_004405C4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_004405C4
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h] 1_2_0048F412
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h] 1_2_0048F4D0
Enables debug privileges
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0048B6F3
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0048A746 SetUnhandledExceptionFilter, 1_2_0048A746
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0048BBB5
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0048DD7F
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory protected: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304 Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2288
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Process created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
Source: BANK-STATMENT _xlsx.exe, 00000027.00000002.929173429.0000000000C30000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: BANK-STATMENT _xlsx.exe, 00000027.00000002.929173429.0000000000C30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: BANK-STATMENT _xlsx.exe, 00000027.00000002.929173429.0000000000C30000.00000002.00000001.sdmp Binary or memory string: Progman
Source: BANK-STATMENT _xlsx.exe, 00000027.00000002.929173429.0000000000C30000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405C78
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: GetLocaleInfoA,GetACP, 0_2_0040AC84
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: GetLocaleInfoA, 0_2_00409954
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: GetLocaleInfoA, 0_2_00409908
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405D84
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: GetLocaleInfoA, 1_2_0048EA4A
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 2_2_00405C78
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: GetLocaleInfoA,GetACP, 2_2_0040AC84
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: GetLocaleInfoA, 2_2_00409954
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: GetLocaleInfoA, 2_2_00409908
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 2_2_00405D84
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_0046A9D0 GetSystemTime,ExitProcess, 0_2_0046A9D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 6_2_0040724C
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Code function: 0_2_00440BF4 GetVersion, 0_2_00440BF4
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.665351637.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000002.00000002.781407102.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.786924724.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000010.00000002.810314867.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.822009123.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000017.00000002.864676132.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.868823721.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001F.00000002.891689573.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.894914378.000000000019D000.00000004.00000010.sdmp Binary or memory string: avp.exe
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.774857470.0000000006760000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.798729439.00000000008DA000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.798860254.000000000097E000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp Binary or memory string: Defender\MsMpeng.exe
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912269653.00000000007FB000.00000004.00000020.sdmp Binary or memory string: Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.803619602.0000000002F08000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.915989570.0000000003038000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.885749429.0000000002F48000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.932871258.0000000002F3A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
Yara detected MailPassView
Source: Yara match File source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.833212497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.933151800.0000000003AC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.771774923.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.857805866.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.886068587.0000000003AC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.916237371.0000000003BB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6920, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 5676, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
Source: Yara match File source: 25.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 6_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 6_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: ESMTPPassword 6_2_004033D7
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.933151800.0000000003AC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.771774923.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.857805866.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.886068587.0000000003AC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.916237371.0000000003BB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7044, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
Source: Yara match File source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: BANK-STATMENT _xlsx.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: BANK-STATMENT _xlsx.exe String found in binary or memory: HawkEyeKeylogger
Source: BANK-STATMENT _xlsx.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: BANK-STATMENT _xlsx.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.801657269.0000000002A81000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger|9
Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.884712791.0000000002AC1000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger|9
Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger|9
Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.803619602.0000000002F08000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.915989570.0000000003038000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.885749429.0000000002F48000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.932871258.0000000002F3A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320625 Sample: BANK-STATMENT _xlsx.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 74 201.75.14.0.in-addr.arpa 2->74 76 whatismyipaddress.com 2->76 114 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->114 116 Found malware configuration 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 14 other signatures 2->120 15 BANK-STATMENT _xlsx.exe 2->15         started        signatures3 process4 signatures5 154 Maps a DLL or memory area into another process 15->154 18 BANK-STATMENT _xlsx.exe 15->18         started        20 BANK-STATMENT _xlsx.exe 15 6 15->20         started        process6 dnsIp7 24 BANK-STATMENT _xlsx.exe 18->24         started        84 mail.iigcest.com 166.62.27.57, 49746, 49780, 587 AS-26496-GO-DADDY-COM-LLCUS United States 20->84 86 201.75.14.0.in-addr.arpa 20->86 88 2 other IPs or domains 20->88 124 Changes the view of files in windows explorer (hidden files and folders) 20->124 126 Writes to foreign memory regions 20->126 128 Allocates memory in foreign processes 20->128 130 3 other signatures 20->130 27 vbc.exe 1 20->27         started        29 vbc.exe 13 20->29         started        31 dw20.exe 23 6 20->31         started        signatures8 process9 signatures10 136 Maps a DLL or memory area into another process 24->136 33 BANK-STATMENT _xlsx.exe 24->33         started        35 BANK-STATMENT _xlsx.exe 6 24->35         started        138 Tries to steal Mail credentials (via file registry) 27->138 140 Tries to steal Instant Messenger accounts or passwords 27->140 142 Tries to steal Mail credentials (via file access) 27->142 process11 dnsIp12 39 BANK-STATMENT _xlsx.exe 33->39         started        78 201.75.14.0.in-addr.arpa 35->78 80 104.16.155.36, 443, 49764, 49774 CLOUDFLARENETUS United States 35->80 82 whatismyipaddress.com 35->82 122 Installs a global keyboard hook 35->122 42 dw20.exe 35->42         started        signatures13 process14 signatures15 132 Maps a DLL or memory area into another process 39->132 44 BANK-STATMENT _xlsx.exe 39->44         started        48 BANK-STATMENT _xlsx.exe 39->48         started        process16 dnsIp17 94 mail.iigcest.com 44->94 96 201.75.14.0.in-addr.arpa 44->96 98 whatismyipaddress.com 44->98 144 Writes to foreign memory regions 44->144 146 Allocates memory in foreign processes 44->146 148 Sample uses process hollowing technique 44->148 150 2 other signatures 44->150 50 vbc.exe 44->50         started        53 vbc.exe 44->53         started        55 dw20.exe 44->55         started        57 BANK-STATMENT _xlsx.exe 48->57         started        signatures18 process19 signatures20 106 Tries to steal Instant Messenger accounts or passwords 50->106 108 Tries to steal Mail credentials (via file access) 50->108 110 Tries to harvest and steal browser information (history, passwords, etc) 53->110 112 Maps a DLL or memory area into another process 57->112 59 BANK-STATMENT _xlsx.exe 57->59         started        61 BANK-STATMENT _xlsx.exe 57->61         started        process21 dnsIp22 65 BANK-STATMENT _xlsx.exe 59->65         started        100 201.75.14.0.in-addr.arpa 61->100 102 whatismyipaddress.com 61->102 152 Installs a global keyboard hook 61->152 68 dw20.exe 61->68         started        signatures23 process24 signatures25 104 Maps a DLL or memory area into another process 65->104 70 BANK-STATMENT _xlsx.exe 65->70         started        process26 dnsIp27 90 201.75.14.0.in-addr.arpa 70->90 92 whatismyipaddress.com 70->92 134 Installs a global keyboard hook 70->134 signatures28
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.154.36
 unknown United States
13335 CLOUDFLARENETUS false
104.16.155.36
 unknown United States
13335 CLOUDFLARENETUS false
166.62.27.57
 unknown United States
26496 AS-26496-GO-DADDY-COM-LLCUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
whatismyipaddress.com 104.16.154.36 true
mail.iigcest.com 166.62.27.57 true
201.75.14.0.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://whatismyipaddress.com/ false
    		high